Friday, November 06, 2015

Inside XCodeGhost iOS threat: weaponising Apple’s application development software

Earlier this year, XCodeGhost was behind the infiltration of the official Apple App Store by malware infected iOS apps. At the time it was pretty much exclusively a problem for users in China; that has changed with XCodeGhost now also hitting Western targets including the US. If that wasn’t bad enough news, the same researchers also reckon that a worrying variant called XCodeGhost S (the s standing for stealth) has managed to infect iOS 9 apps. So what is XCodeGhost/XCodeGhost S, how does it work and what should you do to avoid becoming a victim? IT Security Thing has been digging through the data to find out. Before we deal with the ‘what is XCodeGhost’ question, we need to establish what XCode is. The answer is pretty straightforward, XCode is a free integrated development environment (IDE) that comes with a host of development tools that make developing apps for iOS (and OS X for that matter) as easy as possible. If you want to know precisely what is included, then pop over to the Apple developer site for the full skinny on the latest version. What we are interested in, however, is a Trojanised version of the XCode IDE, which was made available for download through a popular Chinese cloud-based system. Now you might be asking yourself why any developer in their right mind would be thinking about downloading the IDE they are going to use to create apps for the iPhone from anywhere other than the official Apple store? It’s a pretty good question, and the answer highlights just how a lack of strategic security thinking can impact upon software from the earliest of stages in the development process.