CocoaPods flaws left iOS, macOS apps open to supply-chain attack

Recently patched vulnerabilities in a software dependency management tool used by developers of applications for Apple’s iOS and MacOS platforms, could have opened the door for attackers to insert malicious code into many of the most popular apps on those platforms.

One particular security weakness in the CocoaPods dependency manager created a mechanism for hackers to launch supply chain attacks, security researchers at EVA Information Security warned Monday.

Developers who relied on CocoaPods over recent years should verify the integrity of open source dependencies in their code in response to these security weaknesses, EVA advised.

CocoaPods is an open-source dependency manager for Swift and Objective-C projects. Software developers use the technology to verify the integrity and authenticity of the components they’re using by ensuring the checksums and digital signatures of packages are all present and correct.

Orphaned pods

The flaws in CocoaPods ecosystem undermined this process by making it possible for mendacious parties to claim ownership over thousands of unclaimed code “pods”. These pods could then be used to inject malicious code as part of a supply chain attack.

These unclaimed pods arose from a migration process 10 years ago that left thousands of orphaned packages in the system. Although orphaned, many of these software packages were still used by other applications, EVA discovered.

“Using a public API and an email address that was available in the CocoaPods source code, an attacker could claim ownership over any of these packages, which would then allow the attacker to replace the original source code with their own malicious code,” EVA wrote.

A publicly available API allowed anyone to claim orphaned pods without any ownership verification process.

By making a curl request to the publicly available API, and supplying the unclaimed targeted pod name, a potential attacker could claim an orphaned pod.

“An attacker would be able to manipulate the source code or insert malicious content into the newly claimed Pod,” EVA warned. “This pod would then go on to infect many downstream dependencies.”

EVA said that mentions of orphaned Pods appeared in the documentation of applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The security researchers found 685 Pods that had an explicit dependency using an orphaned Pod, likely a fraction of the true figure once proprietary codebases are factored into the equation.

Reef Spektor, VP research at EVA Information Security, told CSOonline: “The vulnerabilities we discovered on CocoaPods have been present for the last decade. We cannot know for certain if the vulnerabilities have been exploited, but we know that if malicious actors were to perform supply chain attacks, the impact would be substantial, affecting both Apple ecosystem consumers and enterprises developing applications.”

Trunk call

A separate vulnerability, CVE-2024-38368, created a mechanism for an attacker to infiltrate the CocoaPods ‘Trunk’ server.

Attacks were possible because an “insecure email verification workflow could be exploited to run arbitrary code on the CocoaPods ‘Trunk’ server” allowing an attacker to manipulate or replace the packages being downloaded, according to the Israeli security consultancy.

“By spoofing an HTTP header and taking advantage of misconfigured email security tools, attackers could execute a zero-click attack that grants them access to a developer’s account verification token,” EVA warned. “This would allow attackers to change packages on the CocoaPods server and result in supply chain and zero day attacks.”

EVA Spektor commented that supply chain attacks are an “everlasting risk” to anyone relying on third-party software. “The attack vectors for supply chain attacks are getting more and more sophisticated as the technology progresses,” according to Spektor.

Remediation

EVA informed CocoaPods of the problems, which have since been patched, enabling the security consultancy to go public with its findings. CocoaPods’ developers did not immediately respond to CSOonline’s request for comment.

Developers are advised to review dependency lists and package managers used in their applications, validate checksums of third-party libraries in response to the vulnerabilities.

General best practice guidelines involve periodic scans to detect malicious code or suspicious changes. Limiting the use of orphaned or unmaintained packages is also a good idea.