Some recently discovered bugs in CocoaPods left about three million iOS apps vulnerable to hackers for a decade. There is no clear evidence that this happened.

Security researchers discovered some dangerous bugs in the CocoaPods repository late last year. Hackers could abuse this to modify the code of millions of applications, although there is currently no evidence that such an attack has taken place.

CocoaPods hosts open source Swift and Objective-C projects. Code packages or pods are integrated into apps by developers and then automatically updated. The code in a pod is closely linked to the application that is based on it. These applications, in turn, run on iPhones and may have high rights there with access to sensitive information such as personal data or card data.

Access for hackers

Researchers at EVA Information Security discovered late last year that there were some security flaws in CocoaPods itself. In some cases, attackers could bypass authentication or tamper with emails sent to developers to steal session tokens, allowing them to get back to work disguised as developers and gain access to their pods.

In theory, for a decade, hackers have been able to secretly modify legitimate developer pods and add fraudulent code. In such a case, it would almost automatically be rolled out to apps of unsuspecting users.

CocoaPods has now closed the leaks and reset all session tokens. The organization does not believe that the vulnerabilities have been exploited in practice, but still advises developers to check whether the pods or the platform are authentic.

Big influence

It seems that everyone did well together this time. After all, the potential of the leaks was great. CocoaPods is part of the app supply chain. If you can modify a popular and widely used pod there, you are not attacking one developer, but hundreds of thousands of apps at once. To understand the impact of such an attack, you can take a look at Log4Shell and Log4J.