CocoaPods Security Alert: Critical Bugs Expose Millions of Apps

A recent security analysis discovered critical vulnerabilities in CocoaPods, the widely used dependency management platform for Apple developers. These vulnerabilities pose significant risks to iOS and macOS apps, potentially allowing attackers to compromise user data and system integrity.

Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

CocoaPods is a platform allowing Apple developers to add and manage other libraries (called "pods"). It has 100,000+ libraries that are utilized by over three million apps, including the most popular worldwide. 

A brief scan of its website finds bundles for Instagram, X, Slack, AirBnB, Tinder, and Uber, to name a few. This makes the pods excellent targets for hackers, and the CocoaPods platform, if it contains an underlying, platform-wide vulnerability, a veritable money pit.

According to research released recently by E.V.A Information Security, the CocoaPods platform has a trio of significant vulnerabilities. The most serious of them, CVE-2024-38366, a remote code execution (RCE) opportunity, received a critical 10 out of 10 CVSS rating. CVE-2024-38368, another notable fault caused by pods without owners, received a critical 9.3, while CVE-2024-38367, a session verification hijacking vulnerability, received an 8.2 rating.

1. Remote Code Execution (CVE-2024-38366)

A severe flaw in CocoaPods enabled attackers to inject malicious code into app builds during the dependency resolution process. The impact: Apps relying on compromised dependencies could execute arbitrary code, leading to serious security breaches.

2. Unowned Pods (CVE-2024-38368)

Some CocoaPods lacked proper ownership, making them susceptible to unauthorized modifications. The risk- Attackers could replace legitimate pods with malicious versions, compromising app functionality and user trust.

3. Session Verification Hijacking (CVE-2024-38367)

CocoaPods failed to adequately verify session tokens during package installation. The consequence? Apps unintentionally using compromised libraries could suffer security breaches.

How to Stay Safe?

Regular Dependency Updates

• Developers must consistently update their CocoaPods dependencies to receive security patches promptly.
• Tools like pod outdated help identify outdated libraries.

Ownership Verification

• Before integrating third-party pods, verify their ownership and integrity.
• Consider using signed pods or checksums to ensure authenticity.

Code Signing and Notarization

• Code signing ensures that only trusted code runs on users’ devices.
• Apple’s notarization process adds an extra layer of security by verifying app binaries.

Finding Exploit A Long Shot

There is no convincing evidence that attackers exploited any of the vulnerabilities discovered by the researchers and patched by CocoaPods in October.

It's worth mentioning, however, that the easily concealable nature of software supply chain flaws, along with the enormous number of pods at danger for so long, would provide adequate cover for anyone who did.

Finding a CocoaPods exploit during the last decade would appear to be simple, but this has not been the case. Instead, E.V.A. suggests that all developers of apps that relied on pods prior to last October (i.e., almost all Apple apps) take six remedial steps, including checking for orphaned pods and extensively evaluating all third-party code dependencies.