Xcode 8 Plugins (Alcatraz) — The end of an era
iOS 10 and Xcode 8 are around the corner and it’s time to say goodbye to Alcatraz.
What is Alcatraz?
Alcatraz is a package manager for Xcode. Think of it as the “App Store” of the Xcode plugins. After installing Alcatraz you can search for any plugin that is listed in their repository instead of finding the plugin (Eg. from Github) and installing it manual.
Xcode Plugins
When I first heard about Xcode Plugins I couldn’t believe that Apple would allow us to inject unsigned code in Xcode. Xcode Plugins can be developed by anyone using Xcode and can be installed by just running the project and restarting Xcode. I know, that doesn’t sound like Apple at all. After downloading Alcatraz and experimenting with plugins I decided that I would try to create one. So I created LogDisabler.
LogDisabler
LogDisabler is solving a problem that I had for each project that I would build for production. The logs. I am using NSLog a lot in my code just to make sure that everything is OK at the different states of the app. But some of these logs are printing sensitive data (Eg. URL requests or their parameters) that anyone can observe, using tools like iOS Console. So as a good practice I am disabling all the logs.
For disabling logs you have to find/replace all NSLog/print in your code or using preprocessor macros.
LogDisabler is adding 2 new menu options under “File” menu in Xcode and is disabling or enabling comments of the entire project with a press of button.
LogDisabler under the hood
LogDisabler is replacing all occurences of NSLog with //LDLog and vice versa, using the sed command. This simple plugin is using a UNIX command that list all the files under the project directory and it’s modifying all .m and .swift files. That’s sound scary, right?
Plugins can mess your project
Xcode plugins can do whatever they want in your project. Of course you can check their behaviour by investigating the code in GitHub but let’s be honest, you won’t (most of the times).
XcodeGhost
Do you remember XcodeGhost? Guess what, it was using “the plugin” method to inject the malicious code.
Freedom!
On the other hand plugins are quite handy. You can modify Xcode and add any functionality that you need. Just use your imaganitation! That kind of freedom is something new for anyone using Apple’s ecosystem.
Xcode 8
Xcode 8 prohibits code injection for security reasons. What that means is that you can’t load your plugins anymore. Plugins have to be rewritten as Xcode Source Editor Extensions. The issue with Source Editor Extensions API is that is only allows text replacement.
Workarounds
You can take a look at the issue #475 under Alcatraz for more information how to bypass this Xcode restriction and load plugins (I would not recommend it).
Introducing Xcode Source Editor Extensions
I am glad that Apple introduced an official way to create “plugins”. You can also share the plugin through Mac App Store. The downside is that it’s only for text replacement and a lot of plugins can’t be converted. Since my project (LogDisabler) is replacing text, I will try to convert it (rewrite it) using Source Editor Extension and I would share the experience in the future.
Conclusion
I am not sure how to feel about that change. It’s good that Apple cares so much about security and I think that the XcodeGhost incident is the main reason for prohibiting the code injection. On the other hand Source Editor Extension solves only a part of the problem. I really like that you can submit it to the Mac App Store and share it with other developers but at the moment, it can’t replace Alcatraz. I hope that Apple will extend Source Editor Extensions API for more than text replacing.
Check out this story about converting Alcatraz plugin to Source Editor Extension.
