A security flaw in CocoaPods, a popular open source repository, has reportedly put the security of millions of iOS and macOS apps at risk for a decade. Ars Technical.

Because it’s important. CocoaPods is an essential tool for Apple developers, allowing them to easily integrate third-party code into their apps. A security breach here could trigger a chain reaction that could expose the personal data of millions of users.

BasisDiscovered by researchers at EVA Information Security, the vulnerability affected nearly three million iOS and macOS apps. The most alarming thing about the flaw is that it went undetected for a decade, reminding us of the importance of repeated security audits even on seemingly robust systems.

The potential scope of this issue is huge. Researchers warned that the vulnerability could allow an attacker to access sensitive information such as credit cards, medical records, and other private content.

How does it work?At the core of this vulnerability is an insecure email verification mechanism used to authenticate developers. capsules individual. capsules According to the term CocoaPods uses, they are code packages. The process went like this:

1. A developer has entered the email address associated with them capsule.
2. The CocoaPods server was sending a verification link to this address.
3. When you click on this link, the account will be linked.

A very common process across many services. Researchers discovered that an attacker could change the URL in the verification link to point to a server under their control. By exploiting vulnerabilities in the handling of HTTP headers, the attacker could trick the system into accepting this malicious redirect.

Context. This incident is not an isolated incident for CocoaPods. In 2021, there was another vulnerability that allowed repositories to execute arbitrary code on the servers that manage them. This could be used to replace existing packages with malicious versions, resulting in malicious code being deployed to iOS and macOS apps.

These are events that remind us of the need for continued vigilance in software security, especially around critical components of the development infrastructure, like CocoaPods.

Next steps. CocoaPods took swift action to mitigate the risks when EVA brought the issue to their attention in October 2023. They deleted all session keys and implemented a new procedure to recover old ones capsules residual and fixed vulnerabilities in the authentication system.

That October month, CocoaPods acknowledged both the problem and the potential worst-case scenario.

EVA researchers have published several recommendations for developers using CocoaPods in their applications:

1. Review all dependencies thoroughly.
2. Run regular security scans to automatically detect malicious code.
3. Keep tools updated to the latest version.
4. Implement safe development practices such as code reviews and security audits.

Supply chains exist in the software world as well, and a single weak link poses a risk to the entire blockchain: for the developers themselves, and also for the users.

Featured image | Denis Cherkashin on Unsplash

On Xataka | Alternative stores on iOS have a huge advantage over those on Android. The one that changes everything