Following the “largest compromise of the App Store ever,” Apple attempted damage control by providing further information for developers on how to verify their versions of Xcode.
Beyond downloading the software package directly from Apple, the company noted that the Gatekeeper feature should be left on to “protect against tampered software.” Gatekeeper automatically validates Xcode by default. However, to further verify a legitimate copy of the developer tool, a user can run a command in Terminal on a system. Again, this only works if Gatekeeper is enabled.
The command, spct—assess—verbose/Applications/Xcode.app, “performs the same checks that Gatekeeper uses to validate the code signatures of applications,” the company wrote.
The tool should then respond with an “accepted” statement. Anything other than that and the application signature isn't valid for Xcode.
“You should download a clean copy of Xcode and recompile your apps before submitting your apps,” Apple wrote.
Even still, many developers opt out of Gatekeeper because its validation checks take too long and are often burdensome when trying to create on a deadline, Sean Sullivan, security advisor at F-Secure, said in an interview with SCMagazine.com.
While the company continues to address this apparent threat, researchers are exploring the recent findings to see just how far this attack could reach.
FireEye, for example, tweeted that it identified 4,165 iOS apps impacted by XcodeGhost with nearly 1,000 still in the App Store.
Sullivan conducted his own research, as well, and said he identified multiple places online to download counterfeit Xcode.
Not just XcodeGhost… but also Unity3DGhost and Cocos2dGhost. And hints of Android as well. ~ Coming soon to a headline near you.
— Sean Sullivan (@5ean5ullivan) September 22, 2015
Beyond digging deeper into the already discovered incident, rumors swirled online about the CIA's possible involvement in the creation of XcodeGhost, primarily based on a report earlier this year that the secret agency spent years trying to break Apple's security.
One the methods specifically cited in secret documents was modifying Xcode to insert backdoors into apps or programs created with it.
“It could be that this [incident] is reviewed further, and it turns out to be some old project related to those documents,” Sullivan said. “Could be done for foreign intelligence work, which might be why we're seeing it in China.”
Whether it was the CIA, an anonymous malicious hacker or just a curious person looking to see if manipulating Xcode would effectively compromise the App Store, the incident stresses the importance of developers to value security and validate their code, as well as encouraging Apple to help developers get its tools more effectively.