Developer Trust, Revisited

Six months ago, I wrote a blog post pointing to a report about the CIA using hacked versions of Xcode to distribute spyware.

Somebody apparently thought that was a cool concept, and created XcodeGhost to trick developers into distributing malware with their apps.

As with my original post on the subject, just because this problem has come to light with respect to Apple does not mean that somehow the Android ecosystem is immune. Android’s mish-mash of ever-changing tooling may help a bit (security by OMG), but the attack vectors used for XcodeGhost are certainly available for Android as well.

We need:

  • More education and effort into ensuring that we are not using corrupted tools, libraries, and the like

  • More education and effort into post-build analysis to see if our APKs have what we think they have (and only what we want), including more work into streamlining reproducible builds, particularly with respect to open source projects

  • Fewer vendors intentionally messing with our APKs and weakening our ability to confirm that our apps are not corrupted by the distribution process

I’ll be trying to do some work in this space, but I am not an Android toolsmith (yet). Responsibility here falls on purveyors of the key pieces of our toolchain, such as Google and Gradleware. If anyone working in this space would like to chat, get in touch.