{"id":2937,"date":"2015-09-29T21:12:48","date_gmt":"2015-09-30T00:12:48","guid":{"rendered":"http:\/\/brockerhoff.net\/blog\/?p=2937"},"modified":"2015-09-29T21:12:48","modified_gmt":"2015-09-30T00:12:48","slug":"rb-app-checker-lite-and-ghosts","status":"publish","type":"post","link":"https:\/\/brockerhoff.net\/blog\/2015\/09\/29\/rb-app-checker-lite-and-ghosts\/","title":{"rendered":"RB App Checker Lite and ghosts"},"content":{"rendered":"

As you may have seen elsewhere, Apple has just approved publication of RB App Checker Lite<\/a> 1.1.3 (build 320) on the Mac App Store<\/a>, and I’ve simultaneously published the Developer ID version (build 321) and updated the product page.<\/p>\n

While the main focus of this version is to do some additional checks, fix bugs and display some information that users have requested,\u00a0the XcodeGhost<\/a> story broke just after I uploaded the first binary for review, and I had to remove\u00a0it in order to see what RB App Checker Lite could do to detect this breach of security<\/a>.<\/p>\n

Assuming\u00a0you’ve read the excellent summaries linked to in the previous paragraph, you may be interested in what I found inside the \u201cghosted\u201d version of Xcode. Briefly, the hack alters the script Xcode uses to link an app’s binary; it also inserts\u00a0look-alike versions of the CoreServices framework into the iOS, iPhone Simulator and OS X SDKs inside Xcode.<\/p>\n

All this of course breaks Xcode’s code signature and, under normal circumstances, running such a hacked version would \u2014 after the customary delay for checking, 2 to 5 minutes \u2014 be detected by GateKeeper and it would advise the developer that \u201c\u2018Xcode.app\u2019 will damage your computer. You should move it to the Trash.\u201d And the previous version of RB App Checker Lite would advise that \u201c\u2026requirements and resources didn’t pass static validation\u201d and point at the changed file.<\/p>\n

You’d think that that would take care of the matter, but it turns out that the affected developers turned GateKeeper off entirely, no doubt to get rid of the several minutes delay. After that, versions of their apps uploaded to the App Store would\u00a0have been linked with\u00a0a static library containing categories on Cocoa\u00a0classes such as UIApplication, UIWindow and so forth; this static library having been hidden inside the added frameworks.<\/p>\n

Needless to say, the new version of RB App Checker Lite also detects the added frameworks and warns: \u201c3 frameworks are suspect: they use system names but are NOT signed by Apple!\u201d.<\/p>\n

This is both good and bad news. The good news is that this specific<\/em> version of XcodeGhost \u2014 or any similar hack that hides code inside bogus frameworks looking like Apple’s frameworks \u2014 can be detected. The bad news is that this specific tactic depends on\u00a0passing a casual visual inspection of the SDKs inside Xcode; in other words, the names and file paths used look reasonable and mostly duplicate Apple’s names and conventions.<\/p>\n

This works because Xcode is a huge application; it contains nearly 5\u00a0thousand<\/em> auxiliary executables. The latest Xcode beta has several SDKs for each of the 7 platforms it supports, and each SDK has an included instance of all system frameworks, both public and private, for that particular combination. Unfortunately, not all these frameworks are currently signed by Apple \u2014 only\u00a02\/3 of them are, and not in a consistent manner. (In all fairness, the percentage has been creeping up a little with each release.)<\/p>\n

Therefore, unless you check the entire app contents with GateKeeper, RB App Checker Lite (or even the codesign command-line utility), it will be humanly\u00a0impossible to pick out visually \u2014 by inspection in the Finder \u2014 if anything has been changed inside Xcode. So keep GateKeeper turned on! One suggestion Apple should implement is running GateKeeper tests for Apple-signed software even if GateKeeper has been deliberately disabled.<\/p>\n

So, what to do about \u201cinfected\u201d apps? Unfortunately the news is not good there. (By the way, I’m surprised that no infected apps were \u2014 as yet \u2014 found on the Mac App Store.) As I said, infected apps contain linked-in categories on Cocoa\u00a0classes, using plausible English method names. Writing such categories is perfectly legal and even plausible \u2014 I’ve done so myself. Having code inside these categories do things that are allowed by the app’s entitlements, such as sending\/receiving data over the net, is also perfectly legal and plausible. There seem to be some utilities out already that purport detecting such code, but I suppose they’d turn up a lot of false positives unless they check for these specific combinations of symbols \u2014 not very future-proof.<\/p>\n

By the same token, Apple can’t really do these tests comprehensively when an app is uploaded to the store. They can and do check for private or \u201csuspect\u201d APIs being called, but as far as I can see the present XcodeGhost doesn’t use\u00a0anything like that.<\/p>\n

Coming back to RB App Checker Lite: it currently does NOT look inside executable code at all. Should it do so? I’m reluctant to implement that; it’s not clear what exactly to look for, regarding hacks like XcodeGhost, and it would mean that checking Xcode and similar huge apps would take tens of minutes or even more. I’m open to suggestions, however… comment here or email me!<\/p>\n","protected":false},"excerpt":{"rendered":"

As you may have seen elsewhere, Apple has just approved publication of RB App Checker Lite 1.1.3 (build 320) on the Mac App Store, and I’ve simultaneously published the Developer ID version (build 321) and updated the product page. While the main focus of this version is to do some additional checks, fix bugs and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,4,19],"tags":[42,22],"class_list":["post-2937","post","type-post","status-publish","format-standard","hentry","category-apple","category-dev","category-software","tag-rb-utilities","tag-xcode"],"featured_image_src":null,"author_info":{"display_name":"Rainer Brockerhoff","author_link":"https:\/\/brockerhoff.net\/blog\/author\/rbrockerhoff\/"},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1q3Zc-Ln","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/posts\/2937","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/comments?post=2937"}],"version-history":[{"count":0,"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/posts\/2937\/revisions"}],"wp:attachment":[{"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/media?parent=2937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/categories?post=2937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/brockerhoff.net\/blog\/wp-json\/wp\/v2\/tags?post=2937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}