Hackers around the world may have been profiting for almost a decade from a series of vulnerabilities found in millions of mobile apps. The discovery has caused shock among experts, as it is a long period of time during which the devices could have been under the control of cybercriminals.
What if you’ve been exposed to a security issue because of something you have no control over? Even applications that should be secure have been found to be vulnerable to abuse by hackers. The reason for this is a serious security flaw detected in one of the most widely used repositories by developers working on creating applications.
Millions of users affected
It’s difficult to know the total number of people who may have been affected by this incident we just learned about, but experts say it could be anywhere from millions to billions of people. After all, the access rates of the affected repository are not exactly low. It’s CocoaPods, a service that is well known to developers who work with iOS mobile devices and macOS computers.
Focused on the Apple universe, this repository suffered for a decade from a vulnerability that left the code libraries of the web at risk. Hackers, as has been discovered, could add malicious code that would affect the 3 million apps that use these libraries and could put users and developers in a problematic situation. The good news is that the incident was detected earlier and that CocoaPods acted in such a way that solved its security problems in a short space of time. Since October there is no longer any risk, although it is only now that we are discovering what happened.
What has happened?
The EVA Information Security team discovered that CocoaPods was suffering from a total of three separate vulnerabilities. With these, to give a quick explanation, hackers had the opportunity to sneak into the programming code of the applications and load their own commands. This means that, in certain sensitive applications, users could be critically affected. For example, hackers would have the ability to access personal data used or stored by all affected applications. And we are talking about everything from bank accounts to personal information records or medical data and anything else that we should keep in the strictest of secrets.
CocoaPods is not a repository for direct downloads of apps, but rather a repository for Objective-C programming language projects on which millions of applications depend. The important thing to know to understand the level of risk is that, when a developer updates their CocoaPods packages, the applications that use them are updated automatically without any action on the part of the user. Therefore, this case becomes even more complicated and increases the volume of risk exposure.
CocoaPods says that as soon as they discovered it, they fixed the incident and introduced several measures to avoid this type of incident. They also argue that, although the statements and risk situations presented by EVA Information Security are possible, they have not detected any type of initiative that would take advantage of these vulnerabilities. However, the feeling of insecurity on the part of the community and the developers who work with CocoaPods is obvious.
In any case, with the current security measures there should not be any problems. CocoaPods also assures that users who use these affected apps do not have to do anything, since everything has been updated automatically. Developers, for their part, should apply a series of actions with the intention of ensuring that there are no surprises.
It should be noted that CocoaPods is one of the most widely used systems for developing applications for Apple devices, so the risk over the years has been real. Millions of iPhones, Apple Watches, Apple TV devices and, of course, Mac computers depend on it. If you want to know more about the threat and what it has meant, the analysis carried out by EVA Information Security exposes down to the last detail everything you need to know. You have it. Available here.
