One year ago I downloaded my Xcode from a third-party source and I'm afraid that if my app has been influenced by the xcodeGhost. Can somebody tell me how to check it?
You can check wether your copy of Xcode contains malicious software by verifying it's code signature:
codesign -vv /Applications/Xcode.app
The code signature will fail verification if Xcode has been tampered with and it will list the files that are suspect.
More information here
XcodeGhost adds an extra CoreServices.framework at:
Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/Frameworks/
to an infected Xcode.
Don't worry,xcodeGhost was writen early this year.If you download Xcode one year ago,your Xcode is totally fine.
For more informations , you can check on xcodeGhost
To go save you can prevent xCodeGhost anyway with a little script in your project. The first version of xCodeGhost is easy to detect:
You need a file with possible xcodeghost links
You need a script to search for this links in your whole project (with grep)
To read more aboutxcodeghost v1, just look at:
https://possiblemobile.com/2015/11/a-lesson-in-xcode-ghost-third-party-frameworks
For v2 of xcodeghost, its not easy as v1, because the links will be generated on a later point of building of app - therefore the only way to detect this is to check your app network acitivity (e.g. with wireshark). Detecting on everything which is not a usual communication of your app. This gives you the possibility to see which frameworks also will communicate with the internet.
The newest version 2 of xcodeghost, you can read here a little bit more:
http://prog3.com/article/2015-11-11/2826185-a-lesson-in-xcode-ghost-third-party-frameworks
Also important if you really want to protect your app/project: Do every test on real device (even analyizing network connection, therefore just give your device a network connection over your macbook (mobile hotspot), this will give you the permission to check explicitely the network connection of your device). Because some hackers are also adding testscripts on 3rd party framework to detect if its on simulator or device.
Related
I have a MacOS app and want to distribute to beta users as DMG file outside AppStore.
I have read some articles about how to notarize an app and follow the steps to successfully notarize the DMG file without any problem.
My development machine runs on MacOS 10.14, and XCode version is 10.1.
However when I try to check the notarized DMG file on another testing machine which runs on MacOS 10.14.5 (by sending the file via AirDrop, or download from my website), I still see the popup from GateKeeper with message "'myApp.dmg' can’t be opened because Apple cannot check it for malicious software." on that machine.
It seems Gatekeeper does not work properly to check notarized DMG file. Is there anybody having the same problem and how to fix that?
Short answer
It could be due to an RPATH referencing a path outside the App bundle. Removing this RPATH would resolve the issue.
Inspecting log files
You can find extra information about the rejection (after trying to launch the blocked app) in the Console.app. Note that you should open the Console.app, before trying to open your blocked app, otherwise not all messages may be logged. You should look for process XprotectService in the logs of your device (i.e. choose your device in the left side bar of the Console.app). If the RPATH is indeed the problem, you should find a record like this:
XprotectService: [com.apple.xprotect:xprotect] File /path/to/your/executable/or/library failed on rPathCmd /rpath/causing/the/problem (rpath resolved to: (path not found), bundleURL: /path/to/your/bundle.app)
Inspecting these log files may give you a key to solve other issues too.
Note that I received the following information from an Apple engineer:
Gatekeeper does not inform users via UI about the specifics of the
error, though it is in the logs for developers to look at. The
notarization process is purely about a detecting malicious software
and does not replicate Gatekeeper enforcement. You still need to get
software notarized and test with Gatekeeper.
We are looking to provide better tooling for developers in the future
to pre-flight some of these common errors.
Contact Apple
If you are not able to solve your issue with the above information, you may want to contact Apple itself using the Feedback Assistant. They do not respond very quickly (~1-2 weeks), but the answers are rather to the point.
Where does OSX Server store integration bots? Or is it my local Xcode who stores them? Server screwed my setup again, but this time I'm no longer able to see my bots.
Just want to express my deep frustration with Xcode CI:
OSX Server (or whatever it's called) is one of a kind piece of software, giving me incredible headaches lately with its' laginness, bugginess and poor performance. I think over the past week I experienced all possible errors Server has to offer:
"internal error updating bot" (please try again later);
"error reading service configuration" (or similar wording) - requires Xcode reset; continue to occur randomly again and again with no reasons;
"Xcode version is not supported" - only reboot seems to convince server to use Xcode which was already used previously
Randomly, fail integrations because "device is not connected", given that I test desktop application for OSX...
Finally, after yet another episode of screwing my setup, I no longer can see my bots on the server - they vanished. well done Server.
The bots and integrations are stored on the server.
The directory should look something like /Users/<xcode_server_tester_user_name>/Library/Caches/XCSBuilder/Bots
(OSX-Server 5.3 (16S4123), XCode 8.3.2 (8E2002))
I hate to say this but I found restarting the machine is a good way to resolve frustration No. 1 and 2.
device is not connected error often happens right after OS, OSX-Server or XCode is upgraded.
Usually reselecting devices from the XCode UI works for me.
Although sometimes it may require repeating multiple times and waiting for a long time for the device list to load.
On your OSX Server machine, deleting the simulator and re-adding it via Xcode->Devices sometimes helps too.
Another way is to delete all simulators from the linked Xcode on OSX Server machine and only keep the ones you want to test your project on. Config the bot to use All iOS Devices and Simulators.
Even though Xcode Server now runs as a specific user, the configuration files are kept in /Library/Developer/XcodeServer. You can also hit the Xcode Server API to get information about your bots.
In a Couchbase db.
I don't know how to access the contents though.
Enter this in Safari on your server
http://localhost:10355/_utils/
After developing my first Mac app I've decided to submit it to the Mac App Store but it got rejected. Basically my app uses NSOpenPanel for reading Xcode project file and NSSavePanel for saving file after it finishes it's work.
Reviewer pointed out that app is violating 2.30 rule - Apps that do not comply with the Mac OS X File System documentation will be rejected, but I'm unclear why.
When you look at app's workspace you can see it uses CocoaPods for handling dependencies which shouldn't be a problem. Next it has JBLocalizer.framework which is being linked as an embedded library to JBLocalizerApp. JBLocalizerApp is final target sent to the review.
Here is what reviewer pointed out as a problem:
2.30
The application accesses the following location(s):
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBString.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBPostProcessStringsOperation.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBOperation.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBLoadStringsInFileOperation.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBLoadSourceFilesOperation.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBLoadRootFilesOperation.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBFileController.gcda'
'/Users/josipbernat/Library/Developer/Xcode/DerivedData/Build/Intermediates/ArchiveIntermediates/JBLocalizerApp/IntermediateBuildFilesPath/JBLocalizer.build/Release/JBLocalizer.build/Objects-normal/x86_64/JBFile.gcda'
The majority of developers encountering this issue are opening files
in Read/Write mode instead of Read-Only mode, in which case it should
be changed to Read-Only.
Other common reasons for this issue include:
creating or writing files in the above location(s), which are not valid locations for files to be written as stated in documentation
writing to the above location(s) without using a valid app-id as a container for the written files
Please review the "File-System Usage Requirements for the App Store"
of Submitting to the Mac App Store for the locations apps are allowed
to write and for further guidance.
I'm really not sure how can my app violate access to the library which is being linked to. Any suggestions?
You've got Code Coverage turned on in your project settings.
See QA1514 on how it's turned on, which should help you turn it off.
I am not sure if I can remote debug an application running on an Iphone which is not next to me? We test your app. well but some users have issues sometimes we can not replicate and dont know where to start digging in this cases. So it would be very easy for us when we can just connect the remote debugger via the internet to an device. Is is possible somehow?
Most of the guys using the app we could remote to there PCs (but the majority dont uses macs...) and run tools there, is this maybe an easier solution?
For Mac Os I found this http://developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/XcodeDebugging/300-Debugging_Programs_Remotely/remote_debugging.html
But this is not for iOS...
Thx very very much already
Our company just released a service exactly for that purpose: http://apphance.com . It allows you to very easily (5 minutes) integrate your application - add framework project basically and you get all the remote debugging capability included (you can access everything from very nice web panel):
You can see logs of running application (in near-real-time)
You can see how device conditions change over time (rotation, wifi/gprs, battery, others)
You get crashes reported to you automatically with all relevant information
Even out-of-memory errors are reported
Your testers can even report problems by shaking the device - including automated screenshots
and more.....
It's currently, closed beta stage but you can request access and for sure you get it.
All you need to do is get the crash log(you can get this at any time through the Xcode Organizer or iTunes Connect in released Applications) symbolicate it and ask the tester what they did to cause the error. This will give you every piece of info you could of gotten from GDB.
Check out https://testflightapp.com/sdk/, you can get crash reports, remote logs, see how is the teststing going and much more, see link for further details.
I'm sorry if I'm asking the wrong thing in stackoverflow, but I've come to my wits end dealing with Blackberry. Documentation, site organization, general levels of support have all come together to the point that I haven't been able to do a whole lot of actual work in this environment.
I currently have the Eclipse environment downloaded from the blackberry developer's area website. I can run the simulator and everything else without issue. What I'm trying to do now is to move from debugging on the simulator to debugging on the device itself. This is an important step for me, but I haven't found a satisfactory way to do it...
What I've found are some posts saying that I should package an ALX (of which I'm still not sure on how to do), and using the BDM to install it. This, however, means I won't be able to use the debugger...
If someone could direct me to a resource that will give me step by step instructions from coding to release of blackberry development, this would be awfully helpful.
Thanks so much!
Yes, please test your code on a device. Basic stuff works the same between both, but especially when you get into networking, media, etc. the devices are different.
You can debug on your device through Eclipse. I can't provide you with an end-to-end guide on SO, but here's the quick debug guide.
Build (sign if necessary) and load your app onto the device. You can do this with the desktop manager, or with the command-line javaloader tool that comes with the JDE (look in the bin directory), or even OTA (over the air)
After loading, make sure the Desktop Manager is NOT running (it'll interfere with on-device debugging)
From Eclipse, create a new debug configuration, in the Debug Configurations dialog click on BlackBerry Device, and then click on the new configuration icon. Default settings should be fine.
Make sure your device is plugged into your USB port and start your new debug configuration. You'll probably get a lot of prompts about things missing (because actual devices don't have debug info for any built-in stuff, generally) but click through those and you should be fine to debug.
This is something we struggled with a lot at my old company. I don't think it's possible to do with Eclipse, you have to use the BB JDE, creating the necessary project files against the same code base. I could be wrong on that one as we weren't using the RIM Eclipse plugin, just building it all with Ant.
Personally I never managed to get passed "debugger attaching..." on the device, although I believe a colleague got it to connect but found it too slow to be usable (if you think how slow the emulator can be sometimes...). I know our ant build file had a target for building a version specifically for the JDE profiler, although that was only against the emulator.
In the end we resorted to using our own function debugging code that manually logged entries, exits, parameters and run times, sending the result to a special server.
Sorry if that doesn't help much, but that was our experience.
Never needed to debug on the device itself, I've always found that the apps i've written work on the device, same as on the handset.
As for generating an ALX, in eclipse right click on the project inside the Package Explorer and select "Generate ALX File".