
XcodeGhost Q&A - smaili
https://www.apple.com/cn/xcodeghost/#english
======
tptacek
Also see: [https://sourcedna.com/blog/20150922/xcodeghost-lifecycle-
in-...](https://sourcedna.com/blog/20150922/xcodeghost-lifecycle-in-app-
store.html)

(Nate analyzed a bazillion app store apps using his platform).

------
qubex
So basically it is the Ken Thompson Hack, the oldest and most devastating
subversion of trust known to programmer-kind.

[http://c2.com/cgi/wiki?TheKenThompsonHack](http://c2.com/cgi/wiki?TheKenThompsonHack)

~~~
halestock
It's an almost philosophical argument, but it's a great point. As soon as a
computer does anything that you can't physically, actually see, there's no way
to _prove_ that it went the way you thought it did.

This is why I think we can never have absolutely secure computerized voting.
No matter how much security you think you have in the form of code audits,
paper trails, open source code, at some you're going to have to push a button
and trust that the electrical signals inside that magic box of a computer are
working the way you think they are.

~~~
strange_quark
But the same can be said for regular old voting. As soon as you drop your
ballot in the ballot box, you give up all control over your ballot. Whoever
ends up counting, moving, or recounting your ballot could change your vote,
throw out your ballot, or any number of other things.

------
wahsd
I still can't quite figure out the ramifications for American App Store users.
I used CamScanner, downloaded from the American App Store, which showed up on
the list. So what does that mean for me? Anything? Is uninstalling and
reinstalling all that needs to be done and there are no other repercussions?
I'm just really not sure I understand the limits or impact. Was this just a
Chinese App Store limited issue?

~~~
mikeash
It's not limited to Chinese App Stores. It was likely limited to apps from
Chinese developers. Nothing inherently limited it that way, but the way it was
spread (through Chinese downloads of Xcode) means others were unlikely to ever
be exposed. For affected developers, all apps they built before they ditched
their bad copy of Xcode would be infected, on all app stores where the app is
available.

However, the impact of the infection is pretty limited. It can throw up
alerts, open URLs, and do a couple of other things, but nothing particularly
bad. Part of this is because of iOS's strong sandboxing. There's only so much
malware _can_ do from within a third-party app. Part of this is because this
particular bit of malware just doesn't have a lot of functionality in it.

The good news is that the infection isn't persistent. If there's an update to
your app that's been built with a good copy of Xcode, you can install that
update and you're fine. You don't even need to uninstall first. If there _isn
't_ then you definitely shouldn't use that app until an update is available.
If you're paranoid you might uninstall it while you wait, but it probably
can't do anything in the background.

------
kowsik
'Reflections on Trusting Trust'
[https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

------
epmatsw
Interesting that one of the most affected apps is a blatant copy of Angry
Birds 2: Angry Bird 2 - Yifeng Li’s Favorite*. It looks like they're even
using the actual icon.

~~~
mzs
Rovio worked with a Chinese firm and entertainer for marketing. It was quite
successful:

[http://mobile.reuters.com/article/technologyNews/idUSKCN0QO2...](http://mobile.reuters.com/article/technologyNews/idUSKCN0QO27620150819)

~~~
epmatsw
Wow, that's really interesting then. Pretty neat strategy.

------
ChuckMcM
I wondered how this was propagated, so basically if you download a hacked
version of xcode it installs malware in anything you build and upload to the
store.

~~~
Maultasche
From what I understand, access to official Apple websites from within China is
very slow, so people host mirrors of Apple software (like XCode) for
developers within China to download.

One of these mirrors had a altered version of XCode that Chinese developers
were downloading. One of these developers noticed strange behavior with one of
his apps. It was connecting to strange servers on the Internet when he hadn't
written the code to do so. This lead to the discovery of malware in some
copies of XCode floating around the Chinese portion of the Internet.

I imagine Apple will add some sort of tool verification step to help fix this
issue. Another way to help prevent this problem would be to host an official
mirror inside China, obviating the need to get Apple tools from unofficial
sources.

~~~
klodolph
Of course, it happens only with developers who turn Gatekeeper off. As
frustrated as some people are with Gatekeeper, this is exactly the kind of
thing that it is designed to protect against. I've never turned Gatekeeper off
on my macs (nor UAC off on Windows).

~~~
mikeash
I think this illustrates the balance you have to strike to have an effective
security system. If you make it too annoying for legitimate use, you'll get
people to disable it so that it no longer protects them.

I don't know what the best answer is, but Gatekeeper could stand to be a
little less obstructive when the user legitimately trusts something that the
system doesn't know about.

Apple's answer will, sadly, probably be to make it impossible to disable.

~~~
rsy96
Shameless plug for my blog post on how the UX of Gatekeeper should be improved
[https://rsy96.github.io/blogs/2015/09/20/gatekeeper-
should-b...](https://rsy96.github.io/blogs/2015/09/20/gatekeeper-should-be-
overhauled.html)

------
mikemoka
So Apple users are supposed to be safe because Apple uses just static analysis
tools to review the apps before publishing?

~~~
epistasis
I don't think security is that simple, it's not a yes/no binary. There are
many directions of attack, and no single mechanism could ever stop them all.
In particular, static analysis tools don't catch much in the way of security.
Apple doesn't even see source code so they can't even verify that code was
compiled from an Apple approved compiler.

The biggest safety precaution against something like this is app sandboxing,
which severely limits the amount of damage that a malicious developer can do.

~~~
mikeash
Apple doesn't even really _try_ to do this sort of analysis. They do a quick
pass to check for private API usage and such, but otherwise app review is all
about checking presentation and functionality to make sure you comply with
Apple's rules, e.g. making sure you aren't exposing fully-functional web
access in a child-rated app, or mentioning the word "Android" anywhere.

This is a common misunderstanding, and it seems to be one that Apple is happy
to spread. Whenever the merits of app review are discussed, some people bring
up the security advantages of it. But the fact is, there are none, as
XcodeGhost demonstrates nicely. iOS's security is due entirely to the strict
sandboxing for third-party apps. App review just lets Apple control what kind
of content can be in the store.

------
JamesBaxter
I can't imagine Apple doing a Q&A like this 3 years ago.

------
dewey
English link:
[https://www.apple.com/cn/xcodeghost/#english](https://www.apple.com/cn/xcodeghost/#english)

~~~
dang
Thanks! Updated.

