
How the CIA Might Target Apple's XCode - mikegerwitz
https://www.schneier.com/blog/archives/2015/03/how_the_cia_mig.html
======
quackerhacker
The article is very short and vague...just go tot the direct link it is
referring to: [https://firstlook.org/theintercept/2015/03/10/ispy-cia-
campa...](https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-
steal-apples-secrets/)

I think this part is the most interesting: _by manipulating Xcode, the spies
could compromise the devices and private data of anyone with apps made by a
poisoned developer_

I know iOS allows us to block an app from utilizing data over cellular, I
guess the concern would then be on wifi networks.

------
xnull2guest
This has been released about Xcode - but it's likely that any major
development platform has been targeted, especially those for cellular phones.

As always you can never be certain, but assuming Android has also been
targetted would help to explain some odd bits compiled into things like the
Android Uber app [1]. My gut tells me that researchers ought to look at the
Apple version.

[1] [http://www.gironsec.com/blog/2014/11/what-the-hell-uber-
unco...](http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/)

------
us0r
Cause this is exactly what the US needs... another intelligence agency running
wild unchecked on the internet.

------
JCJoverTCP
i feel that if this was done, it was done 'over the wire', more or less on the
fly, and not by wholesale appstore replacement but by mitm of internet traffic
streams looking for xcode binary material and replacing it, or portions of it,
transparently.

------
stigi
Sorry to be the one... but it's "Xcode" with a lowercase "c".

~~~
frou_dh
I'm baffled why people post this kind of correction on aggregators and not the
article's own comment form. It's like mumbling while reading a newspaper on
public transport.

------
coldcode
Unless they can force me to download XCode from someone other than Apple, or
somehow hack Apple or force them to support this (not likely), this is a
pointless exercise. If you distrust all software that isn't open source and
validate it yourself, then I suppose anything is possible. I don't wear foil
hats though.

~~~
fit2rule
They've already demonstrated that they have the means to inject into a binary
stream, so unless Apple start encrypting everything - and I mean, _everything_
\- that happens between the App store and dragging the App into /Applications,
there's little we can do to resolve this issue.

This is one of those cases where the betrayal of the NSA/GCHQ/Spy-Agencies-of-
the-5-eyes-nations is really obvious. We can no longer trust our developer
tools...

~~~
JonCox
Encrypting that entire process doesn't strike me as excessive, I kinda assumed
that was already how it's done anyway.

