Apple is to make Xcode available for local download from servers based in China as part of its response to the XcodeGhost malware issue. The announcement was made on the Chinese social media site Sina by Phil Schiller, Apple’s senior VP of worldwide marketing (via CNET). It’s believed that many Chinese developers inadvertently downloaded the fake version because the official download was taking too long.
“In the US it only needs 25 minutes to download,” Schiller told Sina, admitting that in China getting Xcode “may take three times as long.” He told the Chinese publication that, to quell this problem, Apple would be providing an official source for developers in the People’s Republic to download Xcode domestically.
Analysis of infected apps by security researchers appears to be revealing a mix of good and bad news …
The first good news is that there has been no suggestion that infected apps have been uploaded to any of Apple’s App Stores other than the one serving Greater China. This means that only those who downloaded apps in mainland China, Taiwan, Hong Kong or Macau are at risk.
Second, Phil Schiller’s statement that Apple has no evidence of infected apps getting access to user information has been backed by security researchers who have been analyzing the capabilities of infected apps. Analysis by Appthority (via ArsTechnica) revealed that the code has no ability to display login prompts or request text from users, meaning that it could not fool users into entering iCloud or other login credentials. The apps have the following capabilities, it said:
- Send requests to the server (using a fixed timer interval between requests)
- The request contains all kinds of device identifiers (like a typical tracking framework)
- The response can trigger different actions:
- Shows an AppStore item within the app by using a SKStoreProductViewControllerDelegate
- Showing an UIAlertView and show the AppStore view depending on which button was tapped
- Open an URL
- Sleeping for a given time
In other words, it could push users to particular websites, but could not emulate an iOS alert or login request. Those websites could, of course, imitate those of Apple or other companies and present login prompts there.
The bad news is that the number of infected apps appears to be much higher than the number so far acknowledged by Apple. While Schiller says Apple will shortly release a list of 25 infected apps, security researchers have posted various estimates in the hundreds to thousands. It was reported yesterday that many compromised apps still remain in the App Store.
There seems agreement that the earliest infected apps have been in China’s App Store since April. Apple has issued advice to developers worldwide on validating their copy of Xcode, including a command line tool to verify the authenticity of the app.