More than 3 million apps are exposed: can we defend ourselves from the CocoaPods security flaw?

More than three million iOS and macOS applications have been exposed to a serious security flaw discovered recently in CocoaPods, an open-source code repository. This is revealed by the investigation carried out by EVA Information Security and reported by ArsTechnica, which reminds us of the importance of working with our own code and auditing third-party code. But from the users’ point of view, can we defend ourselves?

Apple Support Download

A security flaw that has been active for 10 years

CocoaPods is a service that facilitates the integration of third-party code into applications, allowing developers to automatically access updated libraries. However, this convenience comes with an inherent risk. The exploit found is related to an insecure email verification mechanism to authenticate library developers. 

Attackers have been able to manipulate the verification link for 10 years to redirect to a malicious server and with the automatic system send the necessary code to the app in question to gain access to sensitive data such as credit card details, medical records, and other private material.

This type of vulnerability not only exposes confidential information to the risk of theft, but also opens the door to more complex attacks. The seriousness of the situation is accentuated when considering that many of the affected applications are used daily by millions of users worldwide.

Faced with this scenario, an inevitable question arises: how can we defend ourselves against such vulnerability? The first line of defense is undoubtedly the diligence on the part of application developers. EVA Information Security recommends that developers carefully review CocoaPods dependencies and perform security scans to detect malicious code in all external libraries.

After being notified by EVA researchers, CocoaPods maintainers removed all session keys to prevent unauthorized access and implemented a new procedure for recovering old libraries. However, the responsibility still lies solely with the developers. 

Given the media impact of the situation, it is expected that developers using the CocoaPods service will scan and review the content of their applications. Once this is done, all we can do on our part — just like with this security update for AirPods — is quickly install any updates that may appear in the App Store. 

Apple Support Download

Beyond that, as we have always mentioned, it is important that we install apps from trusted sources. In this context, let’s remember the security systems of the Apple App Store and also keep in mind that certain apps require us to verify the team behind the development and their security practices. The dependence on third-party libraries is perhaps too common a practice, one that without proper safeguards, carries more risks than benefits.