Millions of iOS and macOS apps have been exposed to a security breach that could be used for potential supply-chain attacks, says an ArsTechnica report based on research by EVA Information Security. The exploit was found in CocoaPods, an open-source repository used by many popular apps developed for Apple platforms.
Exploit found in CocoaPods affected iOS and macOS apps
According to the report, around 3 million iOS and macOS apps that were built with CocoaPods have been vulnerable for around 10 years. For those unfamiliar, CocoaPods makes it easy for developers to integrate third-party code into their apps through open-source libraries. When a library is updated, apps using it automatically get the latest updates.
EVA Information Security revealed that the exploit could lead attackers to access sensitive app data such as credit card details, medical records, and private material. The data could be used for a number of malicious purposes, including ransomware, fraud, blackmail, and corporate espionage.
The vulnerabilities were related to an insecure email verification mechanism used to authenticate developers of individual pods (libraries). For example, an attacker could manipulate the URL in a verification link to point to a malicious server. The CocoaPods team has already taken steps to ensure that the exploits are fixed.
After the EVA researchers privately notified CocoaPods developers of the vulnerability, they wiped all session keys to ensure no one could access the accounts without first having control of the registered email address.
The CocoaPods maintainers also added a new procedure for recovering old orphan pods that requires contacting the maintainers directly. An author would need to contact the company to take over one of those dependencies at this point.
This isn’t the first time that CocoaPods has been targeted by attackers. In 2021, the project’s maintainers confirmed a security issue that allowed CocoaPods repositories to run arbitrary code on the servers that manage it. This could be used to replace existing packages by malicious versions with code that could end up shipping in iOS and Mac apps.
EVA researchers advise developers using CocoaPods in their apps to always review CocoaPods dependencies and run security scans to detect malicious code in all external libraries.