Millions of iOS apps were exposed to CocoaPods security breach

Share via:


Millions of iOS and macOS apps have been exposed to a security breach that could be used for potential supply-chain attacks, says an ArsTechnica report based on research by EVA Information Security. The exploit was found in CocoaPods, an open-source repository used by many popular apps developed for Apple platforms.

Exploit found in CocoaPods affected iOS and macOS apps

According to the report, around 3 million iOS and macOS apps that were built with CocoaPods have been vulnerable for around 10 years. For those unfamiliar, CocoaPods makes it easy for developers to integrate third-party code into their apps through open-source libraries. When a library is updated, apps using it automatically get the latest updates.

EVA Information Security revealed that the exploit could lead attackers to access sensitive app data such as credit card details, medical records, and private material. The data could be used for a number of malicious purposes, including ransomware, fraud, blackmail, and corporate espionage.

The vulnerabilities were related to an insecure email verification mechanism used to authenticate developers of individual pods (libraries). For example, an attacker could manipulate the URL in a verification link to point to a malicious server. The CocoaPods team has already taken steps to ensure that the exploits are fixed.

After the EVA researchers privately notified CocoaPods developers of the vulnerability, they wiped all session keys to ensure no one could access the accounts without first having control of the registered email address.

The CocoaPods maintainers also added a new procedure for recovering old orphan pods that requires contacting the maintainers directly. An author would need to contact the company to take over one of those dependencies at this point.

This isn’t the first time that CocoaPods has been targeted by attackers. In 2021, the project’s maintainers confirmed a security issue that allowed CocoaPods repositories to run arbitrary code on the servers that manage it. This could be used to replace existing packages by malicious versions with code that could end up shipping in iOS and Mac apps.

EVA researchers advise developers using CocoaPods in their apps to always review CocoaPods dependencies and run security scans to detect malicious code in all external libraries.

Read also

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

Millions of iOS apps were exposed to CocoaPods security breach


Millions of iOS and macOS apps have been exposed to a security breach that could be used for potential supply-chain attacks, says an ArsTechnica report based on research by EVA Information Security. The exploit was found in CocoaPods, an open-source repository used by many popular apps developed for Apple platforms.

Exploit found in CocoaPods affected iOS and macOS apps

According to the report, around 3 million iOS and macOS apps that were built with CocoaPods have been vulnerable for around 10 years. For those unfamiliar, CocoaPods makes it easy for developers to integrate third-party code into their apps through open-source libraries. When a library is updated, apps using it automatically get the latest updates.

EVA Information Security revealed that the exploit could lead attackers to access sensitive app data such as credit card details, medical records, and private material. The data could be used for a number of malicious purposes, including ransomware, fraud, blackmail, and corporate espionage.

The vulnerabilities were related to an insecure email verification mechanism used to authenticate developers of individual pods (libraries). For example, an attacker could manipulate the URL in a verification link to point to a malicious server. The CocoaPods team has already taken steps to ensure that the exploits are fixed.

After the EVA researchers privately notified CocoaPods developers of the vulnerability, they wiped all session keys to ensure no one could access the accounts without first having control of the registered email address.

The CocoaPods maintainers also added a new procedure for recovering old orphan pods that requires contacting the maintainers directly. An author would need to contact the company to take over one of those dependencies at this point.

This isn’t the first time that CocoaPods has been targeted by attackers. In 2021, the project’s maintainers confirmed a security issue that allowed CocoaPods repositories to run arbitrary code on the servers that manage it. This could be used to replace existing packages by malicious versions with code that could end up shipping in iOS and Mac apps.

EVA researchers advise developers using CocoaPods in their apps to always review CocoaPods dependencies and run security scans to detect malicious code in all external libraries.

Read also

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

How Mamaearth Lost Its Glow

One of India’s most celebrated beauty brands Mamaearth...

Hash-based zero-knowledge tech can quantum-proof Ethereum — XinXin Fan

Google, Microsoft, Amazon, and IBM are some of...

Indie App Spotlight: ‘Pestle’ is the ultimate recipe manager,...

Welcome to Indie App Spotlight. This is a weekly...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!