Almost Every Apple Device Vulnerable Due to Flaws in Dependency Manager – Technologist

In a significant cyber security revelation, CocoaPods, an open-source dependency manager utilised by over three million applications, contained multiple device vulnerabilities. These flaws, which existed for nine years before being patched last October, had the potential to compromise nearly every Apple device, according to a detailed report.

CocoaPods Overview

CocoaPods is essential for managing dependencies in Swift and Objective-C projects and verifying and authenticating the modules developers use. However, its ubiquity turned into a liability when vulnerabilities were discovered that could allow attackers to take over thousands of unclaimed “pods” (libraries) and inject malicious code into popular iOS and macOS apps.

The Origin of the Vulnerabilities

The vulnerabilities trace back to a 2014 migration to a new “Trunk” server. This migration left thousands of packages “orphaned,” with their original owners unidentified. The public API endpoint for claiming these pods remained open for nine years, enabling anyone to claim them without verification.

Email security is vital

An insecure email verification process and a vulnerable Ruby package could allow attackers to execute arbitrary code on the Trunk server, manipulating or replacing the downloaded packages.

“By spoofing an HTTP header and exploiting misconfigured email security tools, attackers could execute a zero-click attack, accessing a developer’s account verification token,” explained researchers. This data breach would permit attackers to alter packages on the CocoaPods server, leading to potential supply chain and zero-day cyber attacks.

Implications of the Device Vulnerabilities

EVA Security’s findings underscore the potential scale of the threat. While there is no direct evidence that these vulnerabilities have been exploited in the wild, the sheer size of the CocoaPods ecosystem—comprising 100,000 libraries—and the time the vulnerabilities existed to make it plausible they could have been used. Exploiting these flaws could have given attackers control over CocoaPods and any published package, providing access to sensitive data.

“An attacker controlling a part of the iOS/macOS app supply chain would have the ability to access millions of mobile apps and the hundreds of millions of people using them,” the researchers highlighted. The potential impact is vast, especially considering that CocoaPods is the most popular dependency manager among iOS developers. Affected projects could include those maintained by major companies such as Google, GitHub, Amazon, and Dropbox.

Mitigation Strategies

Developers are advised to take several mitigation steps:

1. Review Dependency Lists: Validate third-party libraries and ensure software is updated.
2. Avoid Orphaned Libraries: EVA identified 1,866 orphaned pods; these should be avoided.
3. Ensure Consistency: All developers should use the same version of the packages.
4. Regular Security Scans: Perform scans to detect secrets and malicious code in external libraries, particularly CocoaPods.

What to do next?

While the vulnerabilities in CocoaPods have been patched, this incident serves as a stark reminder of the precarious nature of the software supply chain. Third-party components are pervasive in applications, and attacks targeting these components can be complicated to detect.

Recent research indicates that defences such as Software Bill of Materials (SBOMs), code scanning, and restricted repository access are only sometimes effectively implemented, further underscoring the need for vigilance in software development practices.

Contact Managed Cyber Security Experts Neuways

If you have any cyber security concerns, please reach out to Neuways. Our managed cyber security service will help your employees to protect your business.