A security vulnerability discovered in the dependency manager CocoaPods dev tool potentially exposed millions of iOS apps and compromised their security.
Dependency managers are used for helping developers speed up the development of their products by utilizing code written by other companies or developers. A dependency manager operates at the source code level and helps to facilitate the management of code from other sources. The most popular dependency manager developers use for iOS apps is CocoaPods.
Vulnerability in CocoaPods potentially compromised the security of millions of iOS apps
Recently, the maintainers of CocoaPods released a statement in a blog post detailing a security issue that had been recently discovered and was present in the software since June 2015 – six years is plenty of time for attackers to potentially exploit a vulnerability in such a popular dependency manager. Here’s how the exploit worked:
During the deploy of a podspec to trunk, the server validates that the repo is accessible to git. This is done to help fix potentially broken podspecs with typoes, local auth which won’t work for others or external repos don’t have tags already set up. This validation used to rely on using the git CLI on trunk using
git ls-remoteto replicate the same check as a user’s git would, but
ls-remotehas a parameter
--upload-packwhich can be used to execute a new shell.
This meant an attacker could create a specially crafted podspec via
source, which would trigger the
--upload-packparam and execute an arbitrary command on trunk.
One of the apps that users CocoaPods is Signal, a messaging app that has a huge emphasis on privacy. An attack using against one of the dependencies used by Signal could potentially expose the data of millions of users. However, since dependencies used by Signal are reviewed by the app’s development team, it is very unlikely that such an attack could take place. But now all developers have resources at their disposal that could help them audit the dependencies they use. Signal provided the following statement to 9to5Mac in response to the incident.
“Signal was not affected by this vulnerability. In general, we audit all of our third party dependencies both at the time of adding them as well as when updating them. We keep our own copy of all these dependencies to make it easy to audit as well as to prevent unexpected changes, which can be found here. In addition, we did an extra audit after hearing about this vulnerability to verify that the code in that repo matches that code at the tags for all of our dependencies.”
As of right now, there is no evidence that the recently uncovered vulnerability has been exploited. The issue has now been fixed so developers and users do not need to be concerned at this point in time. The only developers impacted by the fix will be the ones who publish their own packages to CocoaPods because their authentication tokens have been reset in case they might have been exposed through the flaw.