Decade old Vulnerabilities Fixed, Addressing Supply Chain Risks for Multiple Apple Devices
EVA Information Security has uncovered three significant vulnerabilities in CocoaPods, a widely utilized tool for streamlining app updates on iOS and macOS devices. These vulnerabilities, present for nearly a decade before being identified and patched in October 2023, posed substantial risks by potentially enabling attackers to inject malware into apps leveraging CocoaPods. CocoaPods facilitates the integration of pre-written code into iOS and macOS applications, making the vulnerabilities particularly concerning as they could allow malicious modification of app architectures.
The vulnerabilities originated from a migration process in May 2014, which left numerous CocoaPods packages vulnerable and susceptible to exploitation. According to EVA researchers, CocoaPods is extensively used by iOS developers, including major companies like Google, GitHub, Amazon, Dropbox, among others, underscoring the widespread impact across various projects and dependencies.
Of particular concern is CVE-2024-38368, identified as one of the most critical vulnerabilities, capable of facilitating malware injection into apps through compromised packages. This exploit could potentially circumvent existing security measures, compromising user data.
EVA promptly disclosed these vulnerabilities to CocoaPods, which acted swiftly to patch them in October 2023, prior to public disclosure. Currently, there have been no reported instances of these vulnerabilities being exploited by malicious entities. CocoaPods’ proactive response effectively mitigated potential risks for app developers and users relying on the platform for their software development needs.
