It looks like many iOS and macOS have been exposed to security breaches as reported by a research done by E.V.A. Information Security. Reportedly the threat was found in CocoaPods, which is an open-sources repository.
Around 3 million iOS and macOS apps that were built with CocoaPods have been vulnerable for around 10 years, the report highlighted.
Reportedly, the threat involves CocoaPods, which programmers use to incorporate existing software libraries into their apps. Currently, CocoaPods can be exploited to secretly introduce malicious code into apps that rely on them.
Identifying the fraud
According to E.V.A. Information Security researchers, they have uncovered several vulnerabilities in the CocoaPods dependency manager that allows any malicious actor to claim ownership over thousands of unclaimed pods. Reportedly, the malware can insert malicious code into many of the most popular iOS and MacOS applications.
The E.V.A. Information Security report explains such an attack on the mobile app ecosystem could infect almost every Apple device. This could eventually leave thousands of organisations vulnerable to catastrophic financial and reputational damage. So, how does this threat work? According to the security firm, an insecure email verification workflow could be exploited to run arbitrary code on the CocoaPods ‘Trunk’ server (manages the distribution and metadata of Podspecs). This would allow an attacker to manipulate or replace the packages being downloaded, explained E.V.A. in an official blog.
CocoaPods can also enable zero day attacks against the most advanced and secure organisations’ infrastructure. “The most serious flaw is CVE-2024-38366, which created a way for hackers to take over unclaimed software packages, known as Pods, without going through any “ownership verification process,” the security firm highlighted. Additionally, it can also increase the risk of software supply chain attacks.
Safety measures ahead
The good news is that all the vulnerabilities were patched after E.V.A. Information Security reported the threat to CocoaPods. The fixes are expected to include “wiping all session keys” to prevent any unauthorised users from making code updates.
The security firm also suggested that both developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code.
According to the reports, a significant percentage of the Swift and Objective-C application ecosystem (including iOS, macOS, and other Apple device software) are prone to the CocoaPods threat. The security firm also suggested that special attention needs to be paid to software that relies on CocoaPod packages, which do not have an owner assigned to them.
Follow FE Tech Bytes on Twitter, Instagram, LinkedIn, Facebook
