13 comments

[ 4.4 ms ] story [ 47.0 ms ] thread
Unless they can force me to download XCode from someone other than Apple, or somehow hack Apple or force them to support this (not likely), this is a pointless exercise. If you distrust all software that isn't open source and validate it yourself, then I suppose anything is possible. I don't wear foil hats though.
What would make Apple Servers secure in this case? They most likely have the VeriSign Private Keys at their hands already.

Getting an Apple Private Key for signing the binary is also just a few blackmails and a gag order away. The average Apple engineer sure doesn't like to end up in jail for a prolonged time just because they happened to "find" some illegal material on one of his computers.

The sad truth is, the frameworks for something like this are already in place. There are "elements" in the government which have total control and surveillance at the very top of their agenda.

Controlling the media is easy (see Chinese, Russian State Televion etc.) but you also need to control the Internet these days. China is already really "good" at this and the US is also doing the groundwork, it's not as easy for them as it is for the Chinese, because they don't want to kill their tech sector and the billions of revenue for good overnight, so they have do introduce these things more slowly.

They've already demonstrated that they have the means to inject into a binary stream, so unless Apple start encrypting everything - and I mean, everything - that happens between the App store and dragging the App into /Applications, there's little we can do to resolve this issue.

This is one of those cases where the betrayal of the NSA/GCHQ/Spy-Agencies-of-the-5-eyes-nations is really obvious. We can no longer trust our developer tools...

Encrypting that entire process doesn't strike me as excessive, I kinda assumed that was already how it's done anyway.
>or force them to support this (not likely)

Last time I've checked apple was an US company. https://en.wikipedia.org/wiki/Patriot_Act

>If you distrust all software that isn't open source

Sadly, this isn't enough. A lot of people are pushing for deterministic builds for exactly this reason.

Cause this is exactly what the US needs... another intelligence agency running wild unchecked on the internet.
(comment deleted)
i feel that if this was done, it was done 'over the wire', more or less on the fly, and not by wholesale appstore replacement but by mitm of internet traffic streams looking for xcode binary material and replacing it, or portions of it, transparently.
The article is very short and vague...just go tot the direct link it is referring to: https://firstlook.org/theintercept/2015/03/10/ispy-cia-campa...

I think this part is the most interesting: by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer

I know iOS allows us to block an app from utilizing data over cellular, I guess the concern would then be on wifi networks.

Sorry to be the one... but it's "Xcode" with a lowercase "c".
Sorry to be the one...

You could always... not be the one

I'm baffled why people post this kind of correction on aggregators and not the article's own comment form. It's like mumbling while reading a newspaper on public transport.
This has been released about Xcode - but it's likely that any major development platform has been targeted, especially those for cellular phones.

As always you can never be certain, but assuming Android has also been targetted would help to explain some odd bits compiled into things like the Android Uber app [1]. My gut tells me that researchers ought to look at the Apple version.

[1] http://www.gironsec.com/blog/2014/11/what-the-hell-uber-unco...