Apple is taking steps to prevent tainted apps from making their way onto the App Store. This includes making it easier for Chinese developers to download its official app tools from Chinese domestic servers, Phil Schiller, Apple senior vice president of marketing told Chinese news agency Sina.com.
Schiller’s comments come two days after Apple acknowledged that several apps on its store were compromised by XcodeGhost -- a piece of malware that infected apps built by developers using a tainted version of Apple’s Xcode programming tools. Apple makes the tools freely available to developers through its Mac App Store. But some Chinese programmers turned to downloading Xcode from unofficial third-party sources, because download speeds were too slow from the company’s overseas servers, according to Reuters.
Developers then unknowingly published their infected apps, which were distributed through the App Store. Apple has already removed known infected apps from its store and it has set up a support page, where it will post a list of the 25 most popular apps affected by the malware.
“After the top 25 impacted apps, the number of impacted users drops significantly,” Apple’s support page reads. Messaging app WeChat and a Chinese version of “Angry Birds 2” were among some of the infected apps. Customers should delete the infected apps from their iPhone, iPad or iPod Touch until a clean version of the respective app is released.
Apple also outlined steps for developers to check that their version of Xcode is authentic and unmodified:
To verify the identity of your copy of Xcode run the following command in Terminal on a system with Gatekeeper enabled:
spctl --assess --verbose /Applications/Xcode.app
where /Applications/ is the directory where Xcode is installed. This tool performs the same checks that Gatekeeper uses to validate the code signatures of applications. The tool can take up to several minutes to complete the assessment for Xcode.
After the command is run, the tool will display up to three valid responses, depending on where Xcode was downloaded from.
Mac App Store
source=Mac App Store
Apple Developer Portal
If the tools display any responses other than “accepted” or from sources not from Apple, developers should download a fresh copy of Xcode from the company's website.