Why Apple Should Have Prevented XcodeGhost, And Why It’s Probably State-Sponsored

Some folks have asked my opinion of XcodeGhost and whether it’s the possible result of Internet censorship forcing Chinese developers to seek out unauthorized sources. The answer is an unqualified “No.”

There is no direct censorship angle here, only impatience on the part of impacted developers. After all, you can access and download Apple developer tools directly from Apple servers with no VPN when you’re behind the GFW. It’s more a function of the fact that Internet connectivity to points outside of China is very slow, and Apple hosts this stuff in Cupertino, California. Apple isn’t the only site affected by this problem; virtually every foreign site runs at a crawl compared to Chinese sites. So, many Chinese sites mirror a lot of popular foreign content locally. While the revenue model for hosting this stuff is usually ads, there are often also shenanigans. You find all sorts of viruses and malware on Chinese sites hosting pirated Windows software and foreign movies for example. However, these viruses and malware are a very different type than XcodeGhost.

My personal guess, based on the function of the malware, is that the Chinese government was likely behind this attack. Why? The highly stealth nature of the attack and the function of the malware. Most “legit” (non state sponsored) Chinese malware tries to steal money. This malware was stealing detailed information about the devices on which it was installed. No garden variety Chinese Internet criminals would spend the time to do this, and risk getting caught with no payoff. While the objective may be just intelligence gathering, it also wouldn’t surprise me if further analysis revealed that this malware enabled infected devices to be transformed into a massive botnet. This would be an incredible coup; most devices on the Internet are now mobile devices and DDoS attacks using PC-based botnets are becoming less effective as PC growth slows (and security on PCs improves). However, if you could build an iPhone botnet army, it’d rival PCs in sheer numbers of devices online. And given the rollout of 4G, these are devices connected to the Internet at relatively high speeds. Imagine flooding, say, every Web site in Taiwan with garbage traffic from every iPhone in the world. This is the sort of thing I can see the Chinese government potentially wanting to do.

To be clear this is entirely speculation and I haven’t personally analyzed this malware. I have no inside information from either Apple or the Chinese government. My speculation is probably more informed than most foreigners, given that it is backed by 3 years of experience in a senior IT role at Microsoft living and working in China. It just doesn’t have the fingerprints of garden-variety malware, though, which almost always tries to steal money.

If I’m a betting man, I’d bet this is state sponsored.

How can you protect yourself if you’re a developer in China, or working with developers in China? Build your own repository of tools used within your enterprise, rather than relying on commercial mirrors in China. Obtain everything in the repository directly from official sources and verify the hash (preferably SHA256) before you add each installation package to your repository. Have a strong security policy, detailed security training, and enforcement mechanisms in place to ensure that only legitimate installation packages are used. Audit your developer desktops to discover any deviance from policy.

How can you otherwise protect yourself? Consider whether the nice free “battery saver” app you’re about to install made by a company you’ve never heard of in Beijing is worth the non-zero risk. Maybe it is; a lot of great software is made in China. I personally use multiple products from Qihoo 360. Maybe it isn’t, though.

People like to think of Apple as omnipotent, but it’s a company made up of human beings who make mistakes just like the rest of us do. Having spent 13 years at Microsoft seeing how the sausage is made, and running my own software company Cuddli today, I think it’s truly a wonder that anything works at all, ever. Granted, Apple absolutely messed up here, and they did so in an egregious way. If you want to publish an iOS application as a developer, Apple takes weeks to review it. These reviews are legendary for how particular Apple is. Supposedly, a security review is part of that. But they missed this repeatedly over dozens of different applications. Given their corporate culture they’ll probably fire a bunch of people (who are probably great people, so if you’re recruiting, now is a very good time to poach from Apple). However, I’d be shocked if this is the first time something like this has happened, and it certainly won’t be the last. It’s a jungle out there, so act accordingly.

Apple can make or break you as an application developer, so it’s actually risky for me to be publicly critical of them when we plan to ship an iOS app. However, we care about user safety enough at Cuddli to stand up for our users and expect that Apple deliver the goods when they claim security is part of the equation. Our users expect this, and as app developers, we expect a safe ecosystem in which to deploy. You can quote me on that!

About the author: I am the founder of Cuddli, a company dedicated to creating joy in people’s lives every day. I’m interested in technology that keeps people and their data safe without slowing business down. Feel free to reach out if I can be helpful to you.