Apple warns developers to verify XCode

Apple says developer tool should only be downloaded from official websites to avoid another malware attack

Apple is warning app developers to check their version of Xcode isn't counterfeit after malicious apps snuck into the App Store

Xcode is Apple's integrated development environment (IDE) for making iOS and OS X apps. A piece of malware called XcodeGhost uses the IDE to infect apps without developers knowing, sitting in otherwise normal apps to steal data, such as your name or password. That attack is considered the first major successful App Store hack, though it is largely focused on the Chinese side of the market. 

"We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers," the company admitted in a message to developers on its website

Apple advised developers to always download Xcode directly from the Mac App Store or Apple Developer website, and to leave the Gatekeeper security tool enabled all the time. 

The company explained that downloading Xcode from an official site means the code is verified and validated. If you got it from a different source - including a USB or over a local network - you can easily verify it using the instructions here.

If the application signature isn't verified, Apple said "you should download a clean copy of Xcode and recompile your apps before submitting them for review".

Apple head of marketing Phil Schiller told a Chinese news agency that the XcodeGhost malware was able to spread so widely in China because many developers there download the IDE program from locally hosted unofficial sites because it takes too long to get it from the US Apple sites, thanks to internet controls in the country. Apple will be setting up a locally hosted official download site to avoid the problem in the future.  

What should users do? 

Security firm Lookout has issued a to-do list for any affected iPhone users. 

If any of the infected apps - listed here - are on your phone, either update them to a fixed version or delete them immediately. 

It's worth changing your Apple ID password, and if you've used the same credentials on other accounts, use a fresh one for those too. 

More generally, be wary of suspicious emails or push notifications, especially those asking for personal information. 

Apple has also said it will be alerting users if they downloaded an infected app. 

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

MacBook Pro owners report MagSafe charging issues
Laptops

MacBook Pro owners report MagSafe charging issues

30 Nov 2021
Apple's mixed reality headset could debut in 2022
augmented reality (AR)

Apple's mixed reality headset could debut in 2022

29 Nov 2021
Apple sues NSO Group over Pegasus attacks on its customers
spyware

Apple sues NSO Group over Pegasus attacks on its customers

24 Nov 2021
Apple launches self-repair scheme for iPhones and Macs
Business strategy

Apple launches self-repair scheme for iPhones and Macs

18 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Microsoft seizes domains used by Chinese hacking group
cyber attacks

Microsoft seizes domains used by Chinese hacking group

7 Dec 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021