Checking for Poisoned Projects, Again
A bit less than two months ago, I wrote “Checking for Poisoned Projects”.
This outlined how malware embedded in a Visual Studio project — not in
the app the project would build, but in the project itself. Designed to infect
security researchers, this malware was distributed as a Windows DLL that would
be executed through “build events” on the researchers’ machines.
Today, we find out that iOS developers were attacked in a similar fashion.
Apparently, Xcode offers “run scripts” that run as part of the build process.
In this case, the run script downloaded spyware and installed it on the developers’
It is merely a matter of time before we find out that Android developers are being
Please be very very careful when working with projects that you get from the
Internet, including from popular sources like GitHub. In
“Checking for Poisoned Projects”,
I point out some of the standard developer security advice regarding using
somebody else’s project that I have been giving for years. Basically, be very
careful about the Gradle wrapper, as that is an easy way for an attacker
to get malware onto your development machine. There are other attack avenues as well,
such as Gradle plugins, compiler plugins, and annotation processors, that we need
to worry about.
It would be lovely if somehow Android app development was immune to this sort of
problem. That is very unrealistic. Someday, I fear that we will get a better picture
of exactly how unrealistic it is.
Interested in learning Kotlin? Check out the Klassbook for Kotlin language lessons that you can run right in your browser!