{"id":10752,"date":"2015-03-10T19:09:50","date_gmt":"2015-03-10T23:09:50","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=10752"},"modified":"2015-03-11T00:00:27","modified_gmt":"2015-03-11T04:00:27","slug":"the-cias-xcode","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/03\/10\/the-cias-xcode\/","title":{"rendered":"The CIA’s Xcode"},"content":{"rendered":"

Jeremy Scahill and Josh Begley<\/a> (via Asem H.<\/a>):<\/p>\n

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool.<\/p>\n

[…]<\/p>\n

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.<\/p><\/blockquote>\n

Recall<\/a> Ken Thompson’s Reflections on Trusting Trust<\/a>.<\/p>\n

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”<\/p><\/blockquote>\n

Nat!<\/a> was wondering about this possibility last year.<\/p>\n

Eamon Javers<\/a>:<\/p>\n

A U.S. intelligence official told CNBC Tuesday that American spies need to develop ways to get covert access to mobile devices.<\/p>\n

“That’s what we do,” the official said. “CIA collects information overseas, and this is focused on our adversaries, whether they be terrorists or other adversaries.”<\/p><\/blockquote>\n

Xcode project manager Tim Triemstra<\/a> is not happy (via Frederic Jacobs<\/a>).<\/p>\n

John Gruber<\/a>:<\/p>\n

To be clear, there is no indication in this report that this hacked version of Xcode has been used in the wild. To be useful, they’d somehow have to get developers to use their modified Xcode toolset instead of Apple’s, or, to somehow infect Apple’s Xcode code base with their modifications. (Imagine a CIA or NSA agent, a trained computer scientist, who joins Apple’s Xcode compiler team under false pretenses.)<\/p><\/blockquote>\n

Craig Hockenberry<\/a>:<\/p>\n

The article refers to “Xcode” generically, but as we all know, there are a lot of pieces to this puzzle: I’m going to examine a few of them below. It’s your job to think about how these things might affect your own products.<\/p><\/blockquote>\n

Update (2015-03-10): K.M. Gallagher<\/a> notes that the Mac App Store downloads Xcode using plain, insecure HTTP. Presumably it verifies that the installer package is signed by Apple, though. If you download Xcode manually, Apple’s site uses HTTPS. You then end up with a disk image containing a Gatekeeper-signed application. However, Gatekeeper only checks that the application is signed by a registered Mac developer; it doesn’t check that it was signed by Apple.<\/p>\n

Brent Simmons<\/a>:<\/p>\n

But today I heard: “It’s not NSApplication — it’s NSA-pplication!”<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"

Jeremy Scahill and Josh Begley (via Asem H.): The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. […] The modified version of Xcode, the researchers claimed, could enable spies to steal passwords […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1144,75,465,30,39,705,355,48,1146,226],"class_list":["post-10752","post","type-post","status-publish","format-standard","hentry","category-technology","tag-central-intelligence-agency-cia","tag-developertool","tag-gatekeeper","tag-mac","tag-macappstore","tag-nsa","tag-privacy","tag-security","tag-strawhorse","tag-xcode"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10752","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=10752"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10752\/revisions"}],"predecessor-version":[{"id":10784,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10752\/revisions\/10784"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=10752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=10752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=10752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}