|
|
|
|
|
|
by cryptoz
3924 days ago
|
|
|
It's possible that we all are. In fact, it should be assumed that everyone who uses Xcode is using it from "some shady source". Shady, as in the CIA/NSA. https://www.schneier.com/blog/archives/2015/03/how_the_cia_m... > The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple's App Store. --- Edit: Until Xcode is fully open source it should be considered compromised. Unfortunately, even if it ever became fully open source, it will still be difficult to trust a compiler that you use to build Xcode [1]. However, at the very least, all possible build utilities and distribution components should be open source. [1] Reflections On Trusting Trust, by Ken Thompson: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp... |
|
|
On the other hand, if Apple is doing transformations on the code you give them (e.g., you hand them LLVM bytecodes or whatever), then the process is harder because Apple's doing the code gen and optimization. Still, you should be able to notice utterly foreign basic blocks and system calls ("hey, when did our app start calling mkdir?").
While I wouldn't discount this as a vehicle for state level actors to distribute malware ("stateware"?), and while we know that in practice this "many eyes" stuff doesn't really work out, this type of tampering would be detectable after the fact, with detection easily automated once discovered in the wild.