Apple warns developers to verify XCode
Apple says developer tool should only be downloaded from official websites to avoid another malware attack
Apple is warning app developers to check their version of Xcode isn't counterfeit after malicious apps snuck into the App Store.
Xcode is Apple's integrated development environment (IDE) for making iOS and OS X apps. A piece of malware called XcodeGhost uses the IDE to infect apps without developers knowing, sitting in otherwise normal apps to steal data, such as your name or password. That attack is considered the first major successful App Store hack, though it is largely focused on the Chinese side of the market.
"We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers," the company admitted in a message to developers on its website.
Apple advised developers to always download Xcode directly from the Mac App Store or Apple Developer website, and to leave the Gatekeeper security tool enabled all the time.
The company explained that downloading Xcode from an official site means the code is verified and validated. If you got it from a different source - including a USB or over a local network - you can easily verify it using the instructions here.
If the application signature isn't verified, Apple said "you should download a clean copy of Xcode and recompile your apps before submitting them for review".
Apple head of marketing Phil Schiller told a Chinese news agency that the XcodeGhost malware was able to spread so widely in China because many developers there download the IDE program from locally hosted unofficial sites because it takes too long to get it from the US Apple sites, thanks to internet controls in the country. Apple will be setting up a locally hosted official download site to avoid the problem in the future.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
What should users do?
Security firm Lookout has issued a to-do list for any affected iPhone users.
If any of the infected apps - listed here - are on your phone, either update them to a fixed version or delete them immediately.
It's worth changing your Apple ID password, and if you've used the same credentials on other accounts, use a fresh one for those too.
More generally, be wary of suspicious emails or push notifications, especially those asking for personal information.
Apple has also said it will be alerting users if they downloaded an infected app.