Apple, on Sunday, confirmed that modified versions of Xcode were being hosted on the cloud storage run by Baidu in China and had successfully infiltrated the App Store of the country. According to a report, about 40 infected apps had made it through to the App Store including big names like WeChat and ride-sharing service Didi Kuaidi.
Developers in China opt for such third party downloads of Xcode because Apple’s own servers can be very slow within the country whilst local sources can provide very high speeds.
Well, Apple says this should be stopped and it should be stopped now.
The Cupertino is now advising developers to avoid third party/local downloads of Xcode to prevent counterfeited versions of the tool. It’s now instructing developers to download Xcode directly from the Mac App Store or from its developer website. Another security advise is that developers should always leave Gatekeeper enabled on all of their systems to protect against tampered software.
The counterfeited version of Xcode required Gatekeeper to be turned off, so that’s quite understandable.
To verify if your copy of Xcode is legitimate or not, first of all you need to enable Gatekeeper. Then, type the following in the system terminal:
spctl —assess —verbose /Applications/Xcode.app
/Application/ should be replaced by your Xcode install directory. The tool might take a few minutes but you will get an output soon enough.
> source=Mac App Store
If you get any of the above return values, then your Xcode is legitimate (The first one if it has been downloaded from the Mac App Store and the second one in case you’ve got it from Apple’s developer website). If, by any means, you get anything other than “accepted,” or the source reads anything other than “Mac App Store,” “Apple System” or “Apple,” then the Application signature is not valid and you need to get rid of the application as soon as possible.
If you are, by any chance not running a legitimate copy of Xcode, Apple is advising you to download one as soon as you can from the Store or its developer website.