It's an almost philosophical argument, but it's a great point. As soon as a computer does anything that you can't physically, actually see, there's no way to prove that it went the way you thought it did.
This is why I think we can never have absolutely secure computerized voting. No matter how much security you think you have in the form of code audits, paper trails, open source code, at some you're going to have to push a button and trust that the electrical signals inside that magic box of a computer are working the way you think they are.
But the same can be said for regular old voting. As soon as you drop your ballot in the ballot box, you give up all control over your ballot. Whoever ends up counting, moving, or recounting your ballot could change your vote, throw out your ballot, or any number of other things.
The ballot can be public with the voter's identity encrypted so he/she can verify/change/contest it (perhaps not from their home computer but you put a kiosk in post office or something).
I still can't quite figure out the ramifications for American App Store users. I used CamScanner, downloaded from the American App Store, which showed up on the list. So what does that mean for me? Anything? Is uninstalling and reinstalling all that needs to be done and there are no other repercussions? I'm just really not sure I understand the limits or impact. Was this just a Chinese App Store limited issue?
It's not limited to Chinese App Stores. It was likely limited to apps from Chinese developers. Nothing inherently limited it that way, but the way it was spread (through Chinese downloads of Xcode) means others were unlikely to ever be exposed. For affected developers, all apps they built before they ditched their bad copy of Xcode would be infected, on all app stores where the app is available.
However, the impact of the infection is pretty limited. It can throw up alerts, open URLs, and do a couple of other things, but nothing particularly bad. Part of this is because of iOS's strong sandboxing. There's only so much malware can do from within a third-party app. Part of this is because this particular bit of malware just doesn't have a lot of functionality in it.
The good news is that the infection isn't persistent. If there's an update to your app that's been built with a good copy of Xcode, you can install that update and you're fine. You don't even need to uninstall first. If there isn't then you definitely shouldn't use that app until an update is available. If you're paranoid you might uninstall it while you wait, but it probably can't do anything in the background.
Interesting that one of the most affected apps is a blatant copy of Angry Birds 2: Angry Bird 2 - Yifeng Li’s Favorite*. It looks like they're even using the actual icon.
I wondered how this was propagated, so basically if you download a hacked version of xcode it installs malware in anything you build and upload to the store.
From what I understand, access to official Apple websites from within China is very slow, so people host mirrors of Apple software (like XCode) for developers within China to download.
One of these mirrors had a altered version of XCode that Chinese developers were downloading. One of these developers noticed strange behavior with one of his apps. It was connecting to strange servers on the Internet when he hadn't written the code to do so. This lead to the discovery of malware in some copies of XCode floating around the Chinese portion of the Internet.
I imagine Apple will add some sort of tool verification step to help fix this issue. Another way to help prevent this problem would be to host an official mirror inside China, obviating the need to get Apple tools from unofficial sources.
Of course, it happens only with developers who turn Gatekeeper off. As frustrated as some people are with Gatekeeper, this is exactly the kind of thing that it is designed to protect against. I've never turned Gatekeeper off on my macs (nor UAC off on Windows).
I think this illustrates the balance you have to strike to have an effective security system. If you make it too annoying for legitimate use, you'll get people to disable it so that it no longer protects them.
I don't know what the best answer is, but Gatekeeper could stand to be a little less obstructive when the user legitimately trusts something that the system doesn't know about.
Apple's answer will, sadly, probably be to make it impossible to disable.
Right click -> open. If you open an app this way, the gatekeeper dialog box will allow you to launch the app if you want (but the warning will still be shown). Once you open the app for the first time, you won't be prompted again.
If I understand your question correctly I think the Apple FAQ page says how it propagated. Basically there were services offering faster downloads of Xcode (presumably locally) in China. My guess is that the apple downloads were crawling to a halt and someone offered up an alternative.
The page also says Apple is working on making it faster for them.
Connections from China to places outside of China generally suck, regardless of load. I don't know if it's the Great Firewall getting in the way, or just underprovisioned links, or what, but you can have a super-fast connection for stuff locally, and then try to hit something outside the country and you're seeing something like 500kbps speeds and 600ms latency. If you're lucky.
Apple has said that they will now cache downloads inside China to mitigate this.
I don't think security is that simple, it's not a yes/no binary. There are many directions of attack, and no single mechanism could ever stop them all. In particular, static analysis tools don't catch much in the way of security. Apple doesn't even see source code so they can't even verify that code was compiled from an Apple approved compiler.
The biggest safety precaution against something like this is app sandboxing, which severely limits the amount of damage that a malicious developer can do.
Apple doesn't even really try to do this sort of analysis. They do a quick pass to check for private API usage and such, but otherwise app review is all about checking presentation and functionality to make sure you comply with Apple's rules, e.g. making sure you aren't exposing fully-functional web access in a child-rated app, or mentioning the word "Android" anywhere.
This is a common misunderstanding, and it seems to be one that Apple is happy to spread. Whenever the merits of app review are discussed, some people bring up the security advantages of it. But the fact is, there are none, as XcodeGhost demonstrates nicely. iOS's security is due entirely to the strict sandboxing for third-party apps. App review just lets Apple control what kind of content can be in the store.
The "malware" can do two things: send tracking information to a server, and show popups (which may be spoofed as login dialogs). Both of these are entirely possible to be intended by the app authors, and in that case, it would be considered a feature. So it is almost impossible for anyone other than the app authors to find out it has been infected.
(Nate analyzed a bazillion app store apps using his platform).