App Devs as Cyber Targets

First Look has broken news about a CIA program to target Apple’s XCode toolchain, that is required to develop native MacOS and iOS apps:
https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

The result of the attack, if successful, is that the compiled binary you send to your end-users contains a backdoor, without the original source code or encryption you might use ever needing to be compromised.

This news fits well with Hans recent post on a very well social engineered phishing attack we received on our Google Play developers account. I see a lot of attacks, and this one nearly fooled me:
https://guardianproject.info/2015/02/24/phishing-for-developers/

I think this is a fairly broad set of adversaries, both state and non, who are beginning to use this tactic. The idea that toolchains and distribution systems of app developers are as much a target of surveillance and compromise as end-users or the networks they use is a fairly new realization to many, that many people out there are still waking up to.

What’s the solution? Well, overall hardening of systems and workflow for people building apps is a great start, but there are also some very exciting new approaches to this problem. Chiefly, right now is the idea of reproducible builds (aka multi-party loosely affiliated notaries to make sure source code = binary app), which you can read about here:

https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/
http://events.ccc.de/congress/2014/Fahrplan/events/6240.html
https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise