CocoaPods and the biggest Apple app exploit that never was (probably)

Security researchers have revealed how they uncovered a bunch of vulnerabilities in a software tool used by developers of iOS and macOS apps that could have exposed hundreds of thousands of applications and millions of users to harm.

But here’s the thing: nobody knows if the vulnerabilities were exploited. “Evidence of absence is not absence of evidence,” said the researchers, Reef Spektor and Eran Vaknin from offensive security outfit EVA Information Security, and authors of the report.

The discovery of CVE-2024-38368, CVE-2024-38366 and CVE-2024-38367 in the open-source CocoaPods dependency manager could well have prevented one of the biggest software supply chain exploits to date. And that’s not journalistic hyperbole: CocoaPods covers an estimated “100,000 libraries used in over 3 million mobile apps,” the report states.

How researchers discovered CocoaPods vulnerabilities

The critical vulnerabilities came to light as part of a red team penetration testing security exercise. CocoaPods is the de-facto dependency manager, used to integrate external libraries into a project while verifying the integrity of those components, for most iOS and macOS application developers.

If you want the full technical detail then do please read the report, but suffice it to say any malicious actor could claim ownership of any package, or pod, that was left unclaimed and use these to insert their own code into popular apps.

“Such an attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organisations vulnerable to catastrophic financial and reputational damage,” said the researchers.

“One of the vulnerabilities could also enable zero day attacks against the most advanced and secure organisations’ infrastructure.”

Related: There’s one metric that can’t be ignored in your workflow: developer satisfaction

A decade-long security gap

Thankfully, the vulnerabilities were patched in October 2023, but only now has the research been given the go-ahead for publication. However, those vulnerabilities had been present for a decade before getting fixed.

“Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code,” the researchers warn.

Boris Cipot, Senior Security Engineer at the Synopsys Software Integrity Group, wasn’t surprised by the discovery, pointing out the complexity of modern-day software development.

“Even ecosystems like Apple’s, which was thought to be the safest system out there, are not immune to software bugs and vulnerabilities, especially when it comes to the usage of external software packages,” said Cipot.

“To keep a good overview of what is used in your software and to see if there are any new software vulnerabilities uncovered, software producers need to use a Software Composition Analysis (SCA) tool to track the component’s state over time in its complex constellation of direct and transitive dependencies.”