Summarize

Simplifying... Inshort

For over a decade, three million iOS and macOS apps have been at risk due to vulnerabilities in the verification email system used to authenticate developers.
Despite patches, the bugs' severity and long exposure period have raised concerns among software teams.
While no apps have been compromised yet, researchers urge developers to review their products and verify the integrity of open-source dependencies in their code to prevent potential financial and reputational damage.

Was a long read? Making it simpler...

Next Article

Vulnerability in CocoaPods puts apps at risk

Three million iOS, macOS apps vulnerable for 10+ years

By Dwaipayan Roy

Jul 03, 2024

07:07 pm

What's the story

Supply-chain attack vulnerabilities, undetected for over a decade, have left thousands of iOS and macOS apps exposed, according to EVA Information Security researchers. The flaws were found in a "trunk" server managing CocoaPods, an open-source repository for Swift and Objective-C projects that around three million macOS and iOS apps rely on. Researchers warn that this could potentially allow attackers access to sensitive user information, such as credit card details and medical records through code injection into these applications.

Breach

Vulnerabilities stem from insecure verification

The vulnerabilities originated from an insecure verification email mechanism utilized to authenticate the developers of individual pods. Attackers could manipulate the URL in the link sent by the trunk server, to point to a server under their control. Another vulnerability allowed attackers to control pods abandoned by their developers but still in use by apps. A third vulnerability allowed attackers to execute code on the trunk server, resulting from an imperfect Cocoapods server migration back in 2014.

Risk assessment

Patched bugs cause concern

Despite patches, the severity of these bugs, and their long exposure period are a cause of concern among software teams, according to EVA researchers. They stated that an "attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage."

Security measures

Urgent call for developers to review products

Despite the potential risks, there is no evidence yet of any apps being compromised. However, EVA researchers have requested corporate developers to review their products. They emphasized the need to "verify the integrity of open source dependencies used in their application code," as an important step toward ensuring that their systems and customers are not left exposed. This call to action is aimed at preventing catastrophic financial and reputational damage that could result from such vulnerabilities.