Tuesday, March 10, 2015

The CIA’s Xcode

Jeremy Scahill and Josh Begley (via Asem H.):

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool.


The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Recall Ken Thompson’s Reflections on Trusting Trust.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”

Nat! was wondering about this possibility last year.

Eamon Javers:

A U.S. intelligence official told CNBC Tuesday that American spies need to develop ways to get covert access to mobile devices.

“That’s what we do,” the official said. “CIA collects information overseas, and this is focused on our adversaries, whether they be terrorists or other adversaries.”

Xcode project manager Tim Triemstra is not happy (via Frederic Jacobs).

John Gruber:

To be clear, there is no indication in this report that this hacked version of Xcode has been used in the wild. To be useful, they’d somehow have to get developers to use their modified Xcode toolset instead of Apple’s, or, to somehow infect Apple’s Xcode code base with their modifications. (Imagine a CIA or NSA agent, a trained computer scientist, who joins Apple’s Xcode compiler team under false pretenses.)

Craig Hockenberry:

The article refers to “Xcode” generically, but as we all know, there are a lot of pieces to this puzzle: I’m going to examine a few of them below. It’s your job to think about how these things might affect your own products.

Update (2015-03-10): K.M. Gallagher notes that the Mac App Store downloads Xcode using plain, insecure HTTP. Presumably it verifies that the installer package is signed by Apple, though. If you download Xcode manually, Apple’s site uses HTTPS. You then end up with a disk image containing a Gatekeeper-signed application. However, Gatekeeper only checks that the application is signed by a registered Mac developer; it doesn’t check that it was signed by Apple.

Brent Simmons:

But today I heard: “It’s not NSApplication — it’s NSA-pplication!”

6 Comments RSS · Twitter

David Spector

"(Imagine a CIA or NSA agent, a trained computer scientist, who joins Apple’s Xcode compiler team under false pretenses.)" Yeah.. and? Anyone who doesn't think the gov't has both already done such things and has already proactively granted itself immunity for any and all such actions is beyond naive...

Installing LittleSnitch on a Mac (which I assume we all do these days) is a hair-raising experience: every time Apple services engage in some way or other, they spew a tonne of HTTPS connections, nearly always followed by that one lone request to ATT-something over HTTP.

It reminds me of the early days of Sparkle and WebKit: inject one lone image or PDF document in the release notes and boom, there goes the machine in what the user assumed was a fully trusted context.

It boggles the mind to think that Apple would still do anything over HTTP, but then what can you expect of a company whose online store still logs you in over HTTPS and reverts immediately to HTTP? I expect Akamai is to blame for a great many of these issues, even though that is by no means an excuse.

MitM-ing the App Store is at least no longer possible… Well, partially. Progress?

I should add that all experienced developers download Xcode manually, even for the "main" version, because with the Mac App Store you never know which one (you kind of have to keep multiple versions around in practice) it is going to update.

HTTPS is not that much of a protection against a state attacker (it just has to subvert any one CA), though I think that someone would notice if the Gatekeeper signer was not Apple, and that is harder to subvert.

@Pierre How would you notice if the Xcode.app on your .dmg file was signed by a third-party (i.e. CIA) Gatekeeper certificate rather than Apple’s? Wouldn’t you only see this if you manually ran codesign and looked at the Authority?

@Michael : The signer is not shown anywhere else, such as the Get Info window or something? Damn, maybe I was too hopeful indeed. (I wouldn't know, I've been boycotting Mac OS X 10.8 and later precisely because of Gatekeeper, except for an alternate boot partition just for iOS dev)

[…] Previously: The CIA’s Xcode. […]

Leave a Comment