CocoaPods bug creates problems for MacOS and iOS developers
Millions of applications for MacOS and iOS were at massive risk for a long time because a central developer software had a problem. Basically, all apps from major providers were also affected.
Dependencies become a problem
The problem started with the CocoaPods tool. This is a dependency manager that developers can use to easily load all kinds of open-source libraries and automatically integrate them into their projects. For a long time, however, the CocoaPods pool was not sufficiently protected against attackers injecting third-party code.
The Israeli company EVA Information Security discovered the problem and went public with a detailed analysis of the problem. According to the company, the security vulnerability had existed for ten years: In 2014, CocoaPods was migrated to a new GitHub server, which reset the authorship of the individual “pods” in which the dependency descriptions are stored.
The CocoaPods team asked the providers of the various libraries to renew their authorship claims, but not all of them did so. At the end of the day, 1,870 pods were still orphaned. According to the security researchers, unauthorized persons were now able to assert claims and manipulate the pods. This ultimately made it possible to inject malicious code into software libraries, which was then incorporated into numerous apps with each new build process.
That was close
To claim a pod for themselves, an attacker only had to send a specific CURL request, and then they could modify a pod and insert malicious code. However, it is currently unclear whether anyone had come up with this idea before the EVA researchers. Fortunately, there is no evidence to date that the vulnerability has actually been exploited.
Contrary to what was initially thought, this does not necessarily mean that the issue is off the table for CocoaPods users. Developers and DevOps teams who have used CocoaPods in recent years – especially before October 2023 – “should check the integrity of the open source dependencies used in their application code,” say the EVA researchers.
This is because it cannot be ruled out that malicious code has been smuggled into the pods in recent years that is now no longer necessarily found. In particular, app versions that are not based on the latest library versions delivered by CocoaPods could still contain malicious code.
Ultimately, it is not necessarily the Apple platform’s fault, as there are similar library management tools elsewhere. The dependency chains have already proven to be a potential security problem on several occasions, but the extent of the potential damage now posed by CocoaPods is likely to be exceptional.
Research Snipers is currently covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More. Research Snipers has decade of experience in breaking technology news, covering latest trends in tech news, and recent developments.
