Apple advises users, developers on XcodeGhost scare

Sometimes it's Android and sometimes it's iOS, but both platforms has had their share of highly publicized security nightmares. This time, it's Apple's turn to take the heat, though partly through no fault of its own. The recent XcodeGhost malware that has affected dozens, possibly even hundreds, of iOS apps, mostly from China, has definitely worried not a few users. Now Cupertino is setting the record straight for users and guiding developers on how to make sure they won't become unwilling carriers of this security vulnerability.

The root cause of this XcodeGhost malware is an unofficial Xcode installer that has been tainted to sneak in the malware into iOS apps built with the development tool. This has allowed such infected apps to get past Apple's usually strict QA and get included in the App Store. The exact number of tainted apps still haven't been released but the list included even popular ones like the WeChat messaging platform.

For the record, Apple claims that they have no information that would suggest XcodeGhost has actually resulted in anything malicious short of sending generic device information to an external server. No private information has been stolen, as far as Apple can tell. XcodeGhost only presented a theoretical security hole, one that has not yet been exploited, fortunately. Or at least from Apple's findings.

Considering the nature of the malware, there is very little users can actually do to protect themselves. Since the infected apps are being distributed through the App Store, there is a presumption of trustworthiness. For its part, Apple assures users that they have already removed those infected apps. That said, there seems to be a disagreement in reports whether that number is just in the dozens or in the hundreds. Apple promises to publish a list of the top 25 impacted apps and their versions so that users can check for themselves if they're running a compromised version of the app.

Apple says it is also working with app developers to get those infected apps back and to prevent similar issues in the future. That practically means urging them to download tools like Xcode only from the official sources. That said, Apple does also have a tool for checking how pristine an installer is even if download from a third-party source and is advising developers to verify the integrity of their Xcode installations at once.

SOURCE: Apple (1), (2)