Skip to main content

Apple to offer local Xcode downloads in China as scale & scope of XcodeGhost issue becomes clearer


Apple is to make Xcode available for local download from servers based in China as part of its response to the XcodeGhost malware issue. The announcement was made on the Chinese social media site Sina by Phil Schiller, Apple’s senior VP of worldwide marketing (via CNET). It’s believed that many Chinese developers inadvertently downloaded the fake version because the official download was taking too long.

“In the US it only needs 25 minutes to download,” Schiller told Sina, admitting that in China getting Xcode “may take three times as long.” He told the Chinese publication that, to quell this problem, Apple would be providing an official source for developers in the People’s Republic to download Xcode domestically.

Analysis of infected apps by security researchers appears to be revealing a mix of good and bad news … 

The first good news is that there has been no suggestion that infected apps have been uploaded to any of Apple’s App Stores other than the one serving Greater China. This means that only those who downloaded apps in mainland China, Taiwan, Hong Kong or Macau are at risk.

Second, Phil Schiller’s statement that Apple has no evidence of infected apps getting access to user information has been backed by security researchers who have been analyzing the capabilities of infected apps. Analysis by Appthority (via ArsTechnica) revealed that the code has no ability to display login prompts or request text from users, meaning that it could not fool users into entering iCloud or other login credentials. The apps have the following capabilities, it said:

  1. Send requests to the server (using a fixed timer interval between requests)
  2. The request contains all kinds of device identifiers (like a typical tracking framework)
  3. The response can trigger different actions:
    • Shows an AppStore item within the app by using a SKStoreProductViewControllerDelegate
    • Showing an UIAlertView and show the AppStore view depending on which button was tapped
    • Open an URL
    • Sleeping for a given time

In other words, it could push users to particular websites, but could not emulate an iOS alert or login request. Those websites could, of course, imitate those of Apple or other companies and present login prompts there.

The bad news is that the number of infected apps appears to be much higher than the number so far acknowledged by Apple. While Schiller says Apple will shortly release a list of 25 infected apps, security researchers have posted various estimates in the hundreds to thousands. It was reported yesterday that many compromised apps still remain in the App Store.

There seems agreement that the earliest infected apps have been in China’s App Store since April. Apple has issued advice to developers worldwide on validating their copy of Xcode, including a command line tool to verify the authenticity of the app.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. nerdafk - 7 years ago

    Phil, it’s not just 3 times as long.

    • Scott (@ScooterComputer) - 7 years ago

      And, to make it worse, if the download is interrupted, it doesn’t always RESUME! So you have to start ALL over again. And I know that from being here in the US with a crappy connection.

      Apple needs to be using BitTorrent technology, full stop. Anything short of that is simply PR. BitTorrent allows for localized data exchange, so folks in China would actually be seeding to one another. It would be best for Apple to integrate it into the Mac App Store such that they’d be BitTorrenting an encrypted blob of installer data that the would ingest, decrypt, and then install…rather than a DMG file, as that’s what got them into this mess to begin with.

      Microsoft has the right idea, they’re doing it with Windows 10. Apple seriously needs to cure itself of the Not Invented Here Syndrome…AGAIN.

      • First of all, the initial issue was the fact that China limits bandwidth speeds from sources outside its borders. Developers who were too impatient to wait for the download from Apple’s servers in the U.S., decided to download from an unauthorized, local server. It doesn’t matter how it was originally distributed; bittorrent or not.

        “It would be best for Apple to integrate it into the Mac App Store such that they’d be BitTorrenting an encrypted blob of installer data that the would ingest, decrypt, and then install”

        Second… A lot of people, especially developers, don’t use the Mac App Store to download software. Most go directly to Apple’s Developer Site and download it.

        “Apple seriously needs to cure itself of the Not Invented Here Syndrome”

        It’s funny you say that and at the same time think Apple should tie downloads and installs through a proprietary method.

      • chickenandporn - 7 years ago

        Hi Scott; I made the argument for P2P distribution a few years ago, but trying to draw attention to an FB group to “vote” hasn’t gotten much traction (ie much above zero).

        Search on FB for “Apple Should Use P2P” — you should find /groups/99389527446/ … I’d post a URL, but I go straight to “awaiting moderation”. I’ve also posted to 9to5’s FB page.

  2. Snail mail would be faster: Give them your address and they send you a free DVD with the code.


Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear