It's possible that we all are. In fact, it should be assumed that everyone who uses Xcode is using it from "some shady source". Shady, as in the CIA/NSA.
> The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple's App Store.
---
Edit:
Until Xcode is fully open source it should be considered compromised. Unfortunately, even if it ever became fully open source, it will still be difficult to trust a compiler that you use to build Xcode [1]. However, at the very least, all possible build utilities and distribution components should be open source.
You can probably verify the output of the compiler. This takes some effort, and 99.99 and a few more nines of developers don't do it, unless they're stepping through assembly trying to find a bad bug or performance issue.
On the other hand, if Apple is doing transformations on the code you give them (e.g., you hand them LLVM bytecodes or whatever), then the process is harder because Apple's doing the code gen and optimization. Still, you should be able to notice utterly foreign basic blocks and system calls ("hey, when did our app start calling mkdir?").
While I wouldn't discount this as a vehicle for state level actors to distribute malware ("stateware"?), and while we know that in practice this "many eyes" stuff doesn't really work out, this type of tampering would be detectable after the fact, with detection easily automated once discovered in the wild.
This makes no sense to me. If the CIA/NSA had the ability to force Apple to modify their offical XCode distribution then surely they could force Apple to do anything. This could include not encrypting iCloud data.
Note that it's not that CIA forced Apple to do something; the allegations are that CIA could be doing this without Apple even knowing.
Edit: But yes, I would agree with the idea that it might be possible for CIA or NSA to have "rooted" Apple entirely, and have total control over iCloud, iOS, Mac OS, etc. It does not seem entirely unlikely in fact.
https://www.schneier.com/blog/archives/2015/03/how_the_cia_m...
> The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple's App Store.
---
Edit:
Until Xcode is fully open source it should be considered compromised. Unfortunately, even if it ever became fully open source, it will still be difficult to trust a compiler that you use to build Xcode [1]. However, at the very least, all possible build utilities and distribution components should be open source.
[1] Reflections On Trusting Trust, by Ken Thompson: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...