Apple warns developers to verify XCode

Apple says developer tool should only be downloaded from official websites to avoid another malware attack

Apple is warning app developers to check their version of Xcode isn't counterfeit after malicious apps snuck into the App Store

Xcode is Apple's integrated development environment (IDE) for making iOS and OS X apps. A piece of malware called XcodeGhost uses the IDE to infect apps without developers knowing, sitting in otherwise normal apps to steal data, such as your name or password. That attack is considered the first major successful App Store hack, though it is largely focused on the Chinese side of the market. 

"We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers," the company admitted in a message to developers on its website

Apple advised developers to always download Xcode directly from the Mac App Store or Apple Developer website, and to leave the Gatekeeper security tool enabled all the time. 

The company explained that downloading Xcode from an official site means the code is verified and validated. If you got it from a different source - including a USB or over a local network - you can easily verify it using the instructions here.

If the application signature isn't verified, Apple said "you should download a clean copy of Xcode and recompile your apps before submitting them for review".

Apple head of marketing Phil Schiller told a Chinese news agency that the XcodeGhost malware was able to spread so widely in China because many developers there download the IDE program from locally hosted unofficial sites because it takes too long to get it from the US Apple sites, thanks to internet controls in the country. Apple will be setting up a locally hosted official download site to avoid the problem in the future.  

What should users do? 

Security firm Lookout has issued a to-do list for any affected iPhone users. 

If any of the infected apps - listed here - are on your phone, either update them to a fixed version or delete them immediately. 

It's worth changing your Apple ID password, and if you've used the same credentials on other accounts, use a fresh one for those too. 

More generally, be wary of suspicious emails or push notifications, especially those asking for personal information. 

Apple has also said it will be alerting users if they downloaded an infected app. 

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021
New monitors for an agile new normal
Sponsored

New monitors for an agile new normal

19 Feb 2021