Millions of iOS apps have suffered a security breach: Your personal data could be at risk!

Ana sayfa / News

Millions of iOS and macOS apps are at risk from a vulnerability discovered by EVA Information Security that could be exploited for potential supply chain attacks. The vulnerability was found in CocoaPods, the open source repository where many popular apps are developed.

The vulnerability found in CocoaPods affects nearly 3 million iOS and macOS apps

CocoaPods is an open source library that makes it easy for developers to integrate third-party code into their applications. When a library is updated, apps that use it automatically receive the latest updates.

EVA Information Security revealed that this vulnerability could allow attackers to access sensitive application data such as credit card information, medical records, and even private material. This data can be used for many malicious purposes, including ransomware, fraud, blackmail and corporate espionage. And that’s a serious problem.

Vulnerability and actions taken

The vulnerabilities discovered were related to an insecure email verification mechanism used to verify individual library developers. For example, an attacker could redirect the URL in the verification link to a malicious server. The CocoaPods team has taken steps to fix these vulnerabilities.

After privately reporting the vulnerability to CocoaPods developers, EVA researchers scrubbed all session keys, ensuring that no one could access accounts without a registered email address.

CocoaPods administrators also added a new procedure for recovering old libraries. An author needs to contact the company to take over one of these libraries.

This is not the first time this has happened, in 2021 the project’s administrators confirmed a security issue that allowed CocoaPods repositories to run arbitrary code on the servers that manage them. This security issue could in turn be used to replace existing packages with malicious versions and inject that code into iOS and Mac apps.

EVA researchers advise developers using CocoaPods in their apps to always review CocoaPods libraries and run security scans to detect malicious code in all external libraries.

This vulnerability, which could affect millions of iOS and macOS apps, once again demonstrates the importance of protecting user data. What do you think? Share your thoughts with us in the comments.