back to article XcodeGhost attack tapped into dev distaste for Apple's Gatekeeper

In light of XcodeGhost, the number of malware-laden iOS apps is focusing attention on how developers were tricked into using dodgy code in the first place. The Xcode development tools used by iOS app makers were copied, modified and distributed online before (mainly) Chinese developers used the counterfeit code to compile apps …

  1. Someone Else Silver badge

    Searching for "Disable Gatekeeper" in the US turns up about 288,000 results on Google, and there are doubtless many thousands of results in regions where a $99 price tag for a "legitimate" developer credential is a significant cost for student and hobbyist programmers considered to be extortion.

    There, FTFY

    1. Adam T

      *cough*

      $99 is extortion? Don't make me laugh.

      Compared the other software and services we have to pay for to support development, it's practically infinitesimal.

      1. Anonymous Coward
        Anonymous Coward

        Re: *cough*

        So a scheme to hoover up EUR 5 from unsupecting punters' credit cards would not be theft, as compared to other heists it would be practically infinitesimal.

        Seriously, Apple can buy a few nuke reprocessing plants with their kind of money. Then USD 99 for a certificate? I hope it comes with a nail clipping of the Jobsiah!

        1. Adam T

          Re: *cough*

          It's not for a certificate, it's the whole backend raft of services. it does't matter how much money Apple have - if they made it free there'd be someone complaining it's anti-competitive or some such nonsense. Can't please anyone these days. Now pardon me while I renew my MSDN membership.

    2. Anonymous Coward
      Anonymous Coward

      Sure, it's an "extortion" after you wanted to buy a Mac (to develop with), an iPhone, and an iPad (to test with), all cheap stuff that really put you in the league of someone who can't afford the enormous expenses of $99 (about $8/month...)... frankly, I have hobbies that cost far more per year than that sum... just got a set of inks for my Canon Pixma Pro 10, they cost more, not talking about some of the papers to print on. And that's just a hobby, I don't sell prints.

      If you don't like to spend $99 there's always Linux or Android to develop for...

  2. Anonymous Coward
    Anonymous Coward

    Let me see...

    Should I pay $99 for a legit copy of a tool I need to make money, or should I go and find a ripped-off copy?

    Sorry, don't see why it's being implied that Apple's policy is the problem here. If you don't like it, don't use it.

    1. LosD

      Re: Let me see...

      I'm pretty sure it's more a case of the download size. If you ever tried downloading anything large from China, you'd understand. Local downloads are fast, anything from the west... Not so much.

      The wonders of the great firewall.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me see...

        I'm pretty sure it's a case of companies having far less developer accounts than actual developers...

        1. Blain Hamon

          Re: Let me see...

          The speed in downloading sounds more plausible. It's the actual 'upload to a device' and 'sell on app store' that costs $99. If you're a company, you have to provide information of being a company, and then it costs $99 total, and there is no per-seat charge. Besides, it's not the software that determines what's allowed, it's having an apple-signed certificate, so a dodgy Xcode won't help you there.

      2. RAMChYLD

        Re: Let me see...

        It's not only China, it's all of Asia.

        I'm in Malaysia. I recently had to download a XCode update. It was 3.2GB, and it took several hours even over a 20mbps FTTH line. I've already did speed tests, etc. Connection to all countries except Singapore is fine. But connection to Singapore gets throttled to an abysmal 2Mbps, often less.

        I also have a router that could show who's connecting where on the network. Guess where Apple is forcing the download to come from.

    2. Dan 55 Silver badge

      Re: Let me see...

      Xcode is free, the developer account which lets you upload to the App Store is $99.

    3. Ben Boyle

      Re: Let me see...

      And if you're a student or hobbyist you don't actually have to pay to download Xcode while you learn - you only need to pay the $99 when you want to submit your apps to the app store. Sell your app for $1 and you only need to punt 141 copies (allowing for the 30% apple tax) to break even...

    4. danny_0x98

      Re: Let me see...

      Xcode is available to any one at no charge.

      The $99 (and it was reduced from $99 per platform this year) means you may submit your applications to the App Store. Other changes this year: one will be able to put one's own iOS apps onto one's own mobile devices. I'll say about time for that, but still, this "Outrageous!" is a bit overplayed.

      Now, people who need Xcode downloaded in hours instead of days so as to build their commercial projects and so turn to third parties, when EVERYONE KNOWS THAT SOFTWARE FROM THIRD PARTIES HAS A HIGH INSTANCE OF DODGINESS, get a pass from us because, Apple is rich?

      I guess we could knock Apple for not publishing hashes, but, really, Apple figures a download from it via https is the only way one should get their software. I know, walled garden, controlling Apple, insisting that there be one source for their code.

      (Incidentally, if Google is not looking at ways to check that developers are using legit compilers, SDKs, and IDEs, they aren't as smart as I think they are.)

      I also add that I recall Ken Thompson gave a famous speech in which he said malware injected by the compiler would be a real ugly problem.

      Any way, the Xcode-now crowd do not get a pass from me, because I did spend hours getting software from legitimate sites via 14K modem a couple of decades back. What was their rush? Getting their knockoff to the App Store two days before the competition got their knockoff posted?

    5. Deltics

      Re: Let me see...

      You don't need to pay anything for a legit copy of Xcode. It's free.

  3. john devoy

    How are they getting these apps onto Apples appstore if you need a valid developer license to publish them onto the appstore?

    1. Anonymous Coward
      Anonymous Coward

      Gatekeeper in reverse? One person is registered of a small team? That'd probably do it, depending on how object files are handled.

    2. djack

      The affected developers *have* got a valid developer key.

      However, they are so used to using unsigned applications (i.e. produced by hobbyists or just test applications etc for whom the $99 is prohibitive) that they have disabled or routinely ignore the 'unsigned application' warnings when installing the XCode tools.

      The binaries that they producecontain the syware but the developers have no idea that this is the case and so get their infected produce signed using their own legitimate app store key.

      It's not so much of a case of anyone affected being cheap, more the convenience of a local download and a security system disabled as it is seen as more of a hinderence.

  4. W Donelson

    Vultures: Apocalypse! Apocalypse! Apocalypse! Apocalypse!

    Apocalypse! Apocalypse! Apocalypse! Apocalypse! Apocalypse!

    1. Anonymous Coward
      Anonymous Coward

      Re: Vultures: Apocalypse! Apocalypse! Apocalypse! Apocalypse!

      Developers! Developers! Developers! Developers!

      1. Anonymous Coward
        Anonymous Coward

        Re: Vultures: Apocalypse! Apocalypse! Apocalypse! Apocalypse!

        Certificates! Certificates! Certificates! Certificates!

        1. Anonymous Coward
          Anonymous Coward

          Re: Vultures: Apocalypse! Apocalypse! Apocalypse! Apocalypse!

          Repetition! Hesitation! Deviation!

          1. Likkie

            Re: Vultures: Apocalypse! Apocalypse! Apocalypse! Apocalypse!

            Alliteration! Alliteration! Alliteration!

    2. Mike Moyle

      Re: Vultures: Apocalypse! Apocalypse! Apocalypse! Apocalypse!

      Tension, apprehension, and dissension have begun!

  5. bigtimehustler

    What surprises me the most is that these developers, once having compiled the apps for distribution, then never ran them again themselves? If they had, they would have seen the iCloud login popups added to their apps immediately. I'll tell you what, if I compile an app for distribution, I damn well install it myself through the normal user route to make sure it works as expected when compiled and installed that way.

    1. Dan 55 Silver badge

      It would be quite easy for the simulator build and the build pushed to a local iDevice via USB to not pop those dialogs up.

    2. ThomH

      The problem with App Store submissions is that you cannot "install it [yourself] through the normal user route". You could resign it for local install — which is what you'd do to hand it off to QA — but it's always possible they found some way to detect the difference.

      Otherwise I would assume it was a timed thing: probably something very basic like maliciously inserted code checks build date of binary, doesn't do anything if it's within 30 days, possibly there's a REST call "I'm this app ID, this build number, should I do anything?" with a remote database being manually updated only after someone has confirmed the build is in the App Store but I don't know how worried the authors would have been about somebody running through a proxy as part of the QA process (e.g. to make sure that your ordinary calls are occurring sensibly).

    3. Jason Bloomberg Silver badge

      There are a whole load of tricks to ensure a developer does not to get see nastiness even if downloading as if an end user; a simple one is to check that the current date, or date when first run, is a good few days after the application build date. It can also hold off until a certain version or revision. I am sure those behind this have even better tricks to use.

    4. Someone Else Silver badge

      @ bigtimehustler

      This is China we're talking about here....

      1. Anonymous Coward
        Anonymous Coward

        Re: @ compile a compiler from a bad compiler

        remember that the Snowden docs "revealed" that the CIA also had a program to backdoor Xcode, so yes, someone in China has been caught tampering - now what about the other nations' bugdoors. . .?

  6. Ilsa Loving

    Why have these companies not had their licenses revoked?

    Gatekeeper was designed specifically to prevent this kind of thing from happening. If developers are disabling it, and then installing dodgy software on top of it, they should have their licenses revoked and be disallowed from submitting apps in the future.

    This isn't just a case of "Oh gee, oopsey me!", this was not just one, but several willful acts of stupidity. These "developers" clearly don't have the knowedge and/or aptitude to write software, and so shouldn't be allowed to do so.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why have these companies not had their licenses revoked?

      Maybe so, but if Apple did that look for the next Reg headline to scream something about Apple cutting off starving developers in China due to their XcodeGhost, implying it was all Apple covering their ass for their own mistake.

      Apple can do a few things to eliminate the chance of this ever happening again:

      1) put up a caching server in China (inside the great firewall) for the 4GB Xcode download to eliminate the incentive for developers to grab versions elsewhere.

      2) force a check of certificates/checksums via the internet before Xcode will let you produce an app signed with the developer's key (required for upload to the app store) It wouldn't require a permanent internet connection (since for some developers that may not be doable) but you'd have to connect at least once with a given Xcode install and have it verify its certificates and checksum with Apple before it would produce binaries suitable for upload to the app store.

      If someone mirrors an exact copy of Xcode this would be no problem, it would pass the checks, but change one byte and it would fail, so mirrors of malware infested versions would not allow apps to get to the app store (for apps getting to alternate app stores used by jailbroken iPhones, that's their own lookout and something neither Apple nor myself will care about)

    2. handle

      Re: Why have these companies not had their licenses revoked?

      Probably because if they revoked those developers' licences they wouldn't have many developers left...

  7. Anonymous Coward
    Anonymous Coward

    Chinese jaywalking

    well.. if they want to compare skipping cert verification with the "traditional" Chinese jaywalking... I'm going to compare it with the other Chinese "tradition" associated with jaywalking accidents: drivers will return and kill an accident victim ON PURPOSE...

    blindly ignoring an invalid cert warning is like this "traditional" behaviour too.

    http://www.news.com.au/travel/travel-updates/disturbing-stories-from-chinas-roads/story-fnizu68q-1227516693873

    http://www.slate.com/articles/news_and_politics/foreigners/2015/09/why_drivers_in_china_intentionally_kill_the_pedestrians_they_hit_china_s.html

  8. Henry Wertz 1 Gold badge

    $99 is not extortion and is not infinitesimal

    "$99 is extortion? Don't make me laugh."

    Whether something is extortion or not is not based on the amount. I could extort someone for 75 cents and it's still extortion. That said, there's no extortion here, there's no threats or coercion to try to get anyone to pay Apple a penny.

    "Compared the other software and services we have to pay for to support development, it's practically infinitesimal."

    My costs for doing Android development was a one-time $25 fee to create an Android Developer account (this is to discourage people behaving badly from just making a new dev account each time an old one is banned.) THAT IS ALL.

    1. Anonymous Coward
      Anonymous Coward

      Re: $99 is not extortion and is not infinitesimal

      Android is a side business of reaping people info and selling ads, so it could be cheap. Other kind of development tools can be pricey, far more than $99 per year, up into thousands per year (or even more).

      My first compiler, as a young hobbyist then, cost me far more than $99. And the PC to run it on was far expensive, more expensive than a Mac + iPhone today (no Pi back then...). I saved to buy it for a long time, and renounced to other things.

      Really, when I read about all those poor students and hobbyists who can't afford software prices, I look around, and see how many students and hobbyists spend a lot of money for their free time pleasures - just it has not to be software! Hey, even a tattoo are money well spent, but software, always too expensive!

      Any hobbyist/student wanting to learn programming and even creating great software today can do it with an $35 Pi and free tools. Complaining about the price of this developer subscription - especially given the price of the hardware needed for it (of course, they only buy used, and you wonder who queue for the new models...) - and calling it "extortion", looks really like greed to me.

      Then there are fields requiring expensive tools and/or hardware to develop with. But not any hobby is cheap and affordable. There are hobbies that are pretty expensive, and nobody says it's an "extortion" - or you're rich, or you can save enough to afford them - otherwise you can only to choose something cheaper. Life is not always what you'd like...

  9. Henry Wertz 1 Gold badge

    XCode download

    "1) put up a caching server in China (inside the great firewall) for the 4GB Xcode download to eliminate the incentive for developers to grab versions elsewhere."

    This. I'm not in China, I'm here in the US, and I still found the XCode download excessively slow as well as error-prone (Apple's servers would every so often crap out and cut the download off mid-download.)

  10. Anonymous Coward
    Anonymous Coward

    Bollocks !

    The cost of a Mac is far more.

    I really doubt many, if any even had a Mac. This is pirated xcode software running on a Hackintosh.

  11. Someone_Somewhere

    Does anyone know WHEN XcodeGhost was first 'released' ? - I can't find any info on which versions of the apps are affected

    1. Anonymous Coward
      Anonymous Coward

      MacRumors seem to have a list of apps, but it's not yet very 'forensic'

      slightly more at http://www.macrumors.com/roundup/xcodeghost/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like