Researchers working with the Central Intelligence Agency have
conducted a multi-year, sustained effort to break the security of
Apple’s iPhones and iPads, according to top-secret documents
obtained by The Intercept. […]
The security researchers also claimed they had created a modified
version of Apple’s proprietary software development tool, Xcode,
which could sneak surveillance backdoors into any apps or programs
created using the tool. Xcode, which is distributed by Apple to
hundreds of thousands of developers, is used to create apps that
are sold through Apple’s App Store.
The modified version of Xcode, the researchers claimed, could
enable spies to steal passwords and grab messages on infected
devices. Researchers also claimed the modified Xcode could “force
all iOS applications to send embedded data to a listening post.”
It remains unclear how intelligence agencies would get developers
to use the poisoned version of Xcode.
Researchers also claimed they had successfully modified the OS X
updater, a program used to deliver updates to laptop and desktop
computers, to install a “keylogger.”
To be clear, there is no indication in this report that this hacked version of Xcode has been used in the wild. To be useful, they’d somehow have to get developers to use their modified Xcode toolset instead of Apple’s, or, to somehow infect Apple’s Xcode code base with their modifications. (Imagine a CIA or NSA agent, a trained computer scientist, who joins Apple’s Xcode compiler team under false pretenses.)
But it strikes me as outrageous that a U.S. spy agency is actively working against U.S. companies like Apple and Microsoft. You expect something like this from China or Russia. Not from our own government.