As many of you may already be aware,
a report
was published early
Tuesday morning, indicating that the CIA has created a “whacked” version
of XCode — Apple’s IDE and development toolchain — that can
leak developer private information or inject malware into apps created
with the altered IDE.

While that particular report does not get into Android, I feel fairly
confident that Android developers are wide open for targeted attacks
via development tools and development processes. And these attacks may
not require CIA-level “dark arts”, but would be more within reach of
other nations or organized groups. Some of those attackers will be less
interested in affecting our apps and more interested in peering inside
our office networks.

We need to do a better job, overall, of making sure that developers can
trust the tools that they use. We need to trust that the tools were not
written with malicious intent in the first place. We need to trust
that what we download and use is really what was published by the tools’
authors, not some “whacked” version. And we need to trust that the various
services that we use, from ad networks to distribution channels, are not
having similar impacts.

Personally, I need to climb the learning curve on OpenPGP signing of
Maven artifacts, both to sign my CWAC libraries and to advise developers on
how they can be validating artifact signatures as part of the build process.
I am hoping that, in the coming days and weeks, the publishers of the
major tools and ecosystems that we as Android developers use will explain to us
what is being done to help prevent, or at least detect, XCode-style attacks.