In the wake of the XcodeGhost fiasco, Apple wants to make sure that all developers use clean versions of Xcode

Sep 22, 2015 15:19 GMT  ·  By

After the iOS App Store has been inundated with hundreds of apps infected with the XcodeGhost compiler malware, Apple has decided that every developer should know how to check if the version of Xcode they have installed on their Mac comes directly from Apple's assembling line.

Xcode is an integrated development environment developed by Apple and designed to make it easier for developers to create apps for OS X, iOS, watchOS, and tv OS.

In the past week, security researchers have discovered that multiple Chinese developers have downloaded a modified Xcode build designed to add a piece of compiler malware named XcodeGhost to all the apps they would build using the malicious Xcode copy.

Even though at first Apple chose not to acknowledge the problem, on Sunday they started removing all the infected apps from the iOS App Store and today they published a tutorial on their developer news website detailing how an Xcode installation can be checked to see if it is code-signed by Apple.

To do that, the developer has to run the following command in a Terminal window on systems with the Gatekeeper security feature enabled:

code
spctl --assess --verbose /Applications/Xcode.app
with the /Applications folder being the one where the Xcode copy is installed.

According to Apple, the spctl command-line tool uses the same technique Gatekeeper uses for validating an application's code signature.

Developers should give it time to complete the validation process, since spctl will need up to several minutes to complete the Xcode check.

spctl will display an "accepted" validation message for any clean Xcode build

According to Apple, the spctl tool should return the following result for an Xcode version downloaded from the App Store:

code
/Applications/Xcode.app: accepted
source=Mac App Store
and for Xcode copies downloaded from the Apple Developer website, spctl should display:
code
/Applications/Xcode.app: accepted
source=Apple
or
code
/Applications/Xcode.app: accepted
source=Apple System
The bottom line is that if developers get any other results after running the spctl code signature validation tool besides "accepted," and any other sources besides "Apple," "Apple System" or "Mac App Store," they should immediately uninstall the malicious Xcode build they have installed.

Next, they should download a clean Xcode build from Apple's Developer website or the Mac App Store, and recompile all their apps before re-submitting them for review.

Xcode validation (2 Images)

Xcode 7.0
Xcode validation result
Open gallery