The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store. §
The article goes onto say, “It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.”
Getting the hacked Xcode package out in the wild would not be that hard. Before the creation of the Mac App Store, Xcode was a direct download from Apple.com. As with anything that’s served out on to the Internet, it’s possible that it could have been intercepted and replaced with the hacked copy. The CIA and it’s friends have showed remarkable competence and hacking, diverting, and collecting web traffic.
The one thing that the article doesn’t discuss is how this was done. How exactly did Xcode get hacked?
I can think of a few ways:
- The Xcode source code was hacked, and the program recompiled.
<include>files were tampered with.
- Helper programs were compromised.
Of the three, the first is the most problematic. It would mean the CIA had obtained the source code to Xcode. This would be a direct breech of the internal Apple servers holding that code. Either by network penetration or by an Apple employee who worked for the CIA.
Created a hacked Xcode version would be simple using the source code. The hacks could be written directly into the program. An app made with the hacked version would work normally. It would only be detectable by directly by comparing it to an app made with a non-hacked version of Xcode.
If the CIA did recompile Xcode with backdoors, it wouldn’t even need to be distributed. It would be a simple matter to set up a small independent software/games studio and hire unsuspecting programers. The programmers wound’t even need to use the hacked Xcode. Only the final version released would need to be compiled by it. The hacked Xcode would only need to be the last step in the automated build chain.
In fact, the CIA wouldn’t even need to setup it’s own shell company. Simply hacking the build system of popular apps would be enough to create the backdoor. Then the app from a respected developer with solid sales would turn into a spy tool. Hacking the build chain of an app after it’s reached a certain installed base would be even more productive.
Attacking a popular app after it has been adopted by millions of users would be devastating. Those people would have no idea the last update just started sending a copy of their messages to the CIA and friends.
A new app on the market might get the attention of security researchers. They would analyze it, check for suspicious connections it might make, and otherwise test it for leaks. Would they do the same for version 4.1.4?
With a hacked version of Xcode the possible attack vectors multiply.