The importance of software source identification from the perspective of XcodeGhost events

Event

The incident was detonated on September 18 by a cloud network published an analysis report: "Xcode compiler Ghost –xcodeghost Sample Analysis", this pure technical analysis report caused by the Chinese iOS ecosystem of many developers of concern. The attention of people to the App Store screening, the result is shocking, at least dozens of popular applications are infected, including, NetEase cloud Music, NetEase Open class, my name is MT, flush, Nanjing Bank, Southern Airlines, Citic Bank action card space, business card almighty King, Angry Birds 2 and so on well-known applications, infected users estimate more than 100 million.

Specifically, these apps use a non-Apple-based, third-party download platform, such as a Web disk, that has a security-related xcode development environment. When using this Xcode to compile the application source program into an executable app, the app will be automatically added to the virus module. Users from the App store to download and install such apps, the phone will be poisoned, the virus secretly to the author's server upload package name, application name, system version, language, country and other information. Fortunately, the incident did not cause significant public damage, and there was no use to compromise sensitive information such as privacy or account passwords. Technically, however, this is a "mercy" for the virus author, and as long as the virus code is more virulent, he will get more than 100 million "broilers".

This event prompts us to identify how important the source of online software is by using cryptographic mechanisms such as digital signatures or hashing (also known as Hash Hash, Digest Digest).

Hash value

hash functions (or hashing algorithms, hash function) are methods of creating small digital "fingerprints" from any length of data. Hashing scrambles the data into mixed calculations, resulting in a result called a hash value. The hash value looks like a string that is usually a short random letter and number. A hash function used for verification purposes is a "one-way" operation: for a given hash value, there is no practical way to calculate an original input, which means it is difficult to forge. Such hash functions, which are widely used, include md5,sha-1,sha-256 and so on. Many software provides hash values on the official website download page. After the software download is complete, use the hash tool to calculate the hash value of the downloaded file, and compare it with the hash value (1) on the official website to confirm that the downloaded software is exactly the same as that published on the Web site.

Figure 1 The installation disc image hash value given on the Ubuntu website

Tools and methods for testing hashing

Although common hashing algorithms such as MD5 and SHA1 are widely used within Windows systems, the system does not provide a program or command to calculate MD5. The network has a large number of computational hashing software available for download, search engines can be searched and refer to the word of mouth select one. Use the OpenSSL command to calculate the SHA1 hash value as follows.

Figure 2 Calculating the hash value using the OpenSSL command

Linux has built-in md5sum, sha1sum these two commands. Run Md5sum <filename> in the terminal, or Sha1sum <filename> to get the corresponding hash value.

Digital signatures

A digital signature is some data that is attached to a data unit, or a password transformation made to a data unit. This data or transformation allows the receiver of the data unit to confirm the source and data unit integrity of the data unit and to protect the data from forgery by the person (for example, the recipient).

Digital Signature Technology is a typical application of asymmetric encryption algorithms. The application process of digital signature is that the data source sender uses its own private key to encrypt the data checksum or other variables related to the data content, completes the legal "signature" of the data, the data receiver uses the other's public key to interpret the received "digital signature", and uses the interpretation result to test the data integrity. To confirm the legality of the signature.

Verification of digital signatures

In a Windows environment, digitally signed software can easily verify its source and cleanliness. In the File Properties dialog box, on the Digital Signatures page, click Details to verify the digital signature of the software. Is the result of the verification of the digital signature of the Android-studio-bundle-135.1740770-windows.exe downloaded from the network disk.

Figure 2 A valid software digital signature

If the software is tampered with, or if the certificate is tampered with, it will cause the signature validation to render an invalid state. After you use the hex editor to manually modify the Adobe Reader installation package, the detection of a digital signature is invalid.

Figure 3 Invalid digital signature Demo

Summary

The existence of the wall, the accessibility and speed of the external official website is a difficult to circumvent the reality of the problem. In the wall through the third-party download platform to obtain Android Studio, Xcode and other development tools, will still be the first choice for many people. The XcodeGhost event reminds us that after downloading any software installation package from a third-party channel, it is important not to ignore the verification of the digital signature, or the hash value of the official website version, which cannot be verified and must be rejected decisively. Second, this event also has a certain relationship with pirated "black Apple", "free download" pirated software is never free!

The importance of software source identification from the perspective of XcodeGhost events