First Look has broken news about a CIA program to target Apple’s XCode toolchain, that is required to develop native MacOS and iOS apps:
The result of the attack, if successful, is that the compiled binary you send to your end-users contains a backdoor, without the original source code or encryption you might use ever needing to be compromised.
This news fits well with Hans recent post on a very well social engineered phishing attack we received on our Google Play developers account. I see a lot of attacks, and this one nearly fooled me:
I think this is a fairly broad set of adversaries, both state and non, who are beginning to use this tactic. The idea that toolchains and distribution systems of app developers are as much a target of surveillance and compromise as end-users or the networks they use is a fairly new realization to many, that many people out there are still waking up to.
What’s the solution? Well, overall hardening of systems and workflow for people building apps is a great start, but there are also some very exciting new approaches to this problem. Chiefly, right now is the idea of reproducible builds (aka multi-party loosely affiliated notaries to make sure source code = binary app), which you can read about here: