Developer Trust, and the XCode Hack

As many of you may already be aware, a report was published early Tuesday morning, indicating that the CIA has created a “whacked” version of XCode — Apple’s IDE and development toolchain — that can leak developer private information or inject malware into apps created with the altered IDE.

While that particular report does not get into Android, I feel fairly confident that Android developers are wide open for targeted attacks via development tools and development processes. And these attacks may not require CIA-level “dark arts”, but would be more within reach of other nations or organized groups. Some of those attackers will be less interested in affecting our apps and more interested in peering inside our office networks.

We need to do a better job, overall, of making sure that developers can trust the tools that they use. We need to trust that the tools were not written with malicious intent in the first place. We need to trust that what we download and use is really what was published by the tools’ authors, not some “whacked” version. And we need to trust that the various services that we use, from ad networks to distribution channels, are not having similar impacts.

Personally, I need to climb the learning curve on OpenPGP signing of Maven artifacts, both to sign my CWAC libraries and to advise developers on how they can be validating artifact signatures as part of the build process. I am hoping that, in the coming days and weeks, the publishers of the major tools and ecosystems that we as Android developers use will explain to us what is being done to help prevent, or at least detect, XCode-style attacks.