Following the infection of the App Store with malware from modified versions of Xcode, Apple has emailed registered developers today asking them to ensure their installation of its developer tools is legitimate.
The flaw spread wide as developers in China and other countries with slow internet access downloaded Xcode from local sources instead of Apple directly. Those alternate sources were modified to contain malware that could be remotely controlled once an app was compiled and sold on the App Store.
The email sent to developers today reminds them to only download Xcode from Apple’s store and Gatekeeper, OS X’s protection, should be left enabled:
You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.
Apple says this method ensures the code signature is valid and not tampered with. If you downloaded it from somewhere else, Apple says you should verify the installation by running the following command:
spctl –assess –verbose /Applications/Xcode.app
Running that should return the following results:
If the command returns any other result, it means the Xcode installation has been tampered with and should be removed and re-downloaded before compiling iOS applications.
Apple has removed apps affected by the Xcode breach, but is eager to emphasize that other sources of its developer tools cannot be trusted.
➤ Validating Your Version of Xcode [Apple]