AppCode News

AppCode 2020.3.4: Trusted Projects and Bug Fixes

Hi everyone,

AppCode 2020.3.4 update is available to download from our site.

Trusted projects

AppCode 2020.3.4 introduces the concept of trusted projects, designed to mitigate the risks associated with opening projects from unknown and untrusted sources.

Many modern build systems, including SPM, rely on code execution for building the project model that the IDE needs in order to understand the project structure and its dependencies. In SPM, the build script itself is code written in Swift. Many Xcode projects also include SPM dependencies.

In addition to the issues inherent to the project structure design, some of AppCode’s features (for example, startup tasks) introduce additional code execution possibilities enabled by sharing a project together with its .idea directory.

Thus, the simple act of opening a project in the IDE could lead to code execution from the project build scripts. If a malicious actor creates the project, this can be a significant security risk. Unfortunately, the risk is not merely hypothetical – there have been recent attempts to attack security researchers by sending them Visual Studio projects containing malicious code.

We’ve introduced trusted projects to mitigate these risks. When you open a project, AppCode doesn’t execute any code from it and checks whether it is trusted or from a trusted location. If the project currently is not trusted, the IDE will ask you to choose whether to open it in safe mode or full-trust mode. If you open a project in safe mode, the IDE will disable all potential code execution upon opening. Since this makes it impossible to build an accurate project model, many IDE features, such as error highlighting, will be disabled. However, you can still browse the project’s contents and open its source files in the editor.

Trust dialog

To avoid showing warnings for every project, the IDE allows you to define trusted locations in Preferences | Build, Execution, Deployment | Trusted Locations. Projects in directories specified as “Trusted Locations” are always considered trusted. To ensure that you get the untrusted project warnings only when something out of the ordinary is happening, we recommend adding the directory where you usually create projects to your trusted locations.

Trusted locations

If you want to disable the untrusted project warnings, you can add your home directory to the trusted locations. However, we do not recommend doing this, as it could potentially leave you open to an attack.

Note that building or running the SPM project from the command line carries the same security risks as importing it into an IDE. So if you choose to open the project in the safe mode, you also need to avoid running SPM commands in the terminal.

Bug fixes

The following issues are fixed in this update:

  • iOS simulators were unavailable for Xcode 12.5 Beta (OC-21351).
  • The Chinese Language Pack plugin wasn’t compatible with AppCode (OC-21279).
  • False SourceKit errors/warnings were displayed for SPM projects with a local dependency (OC-21250).
  • SDK symbols weren’t resolved for the basic macOS app with Xcode 12.3 (OC-21150).

The full release notes are available here.

Your AppCode team
The Drive to Develop