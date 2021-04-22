- Advertisement -

iOS and, basically, any other Apple operating system has a reputation for being shielded and not offering holes through which to lose the security of our iPhone. But, unfortunately, this is not usually the case. Another thing is that instead of the ways it does in Android, the malware is not so visible to those who monitor it, but the threat is always there latent. And that has happened today precisely with one of the most used repositories for the development of applications in iOS (and iPadOS) and Mac environments: that hackers could have taken advantage of a security flaw that is present in one of the most important resources of CocoaPods when developing applications for Apple ecosystems. And no one knows, yet, the extent of that security breach. Open failure since 2015 CocoaPods is one of those places that developers turn to obtain resources with which to make the work of programming their own applications easier, taking advantage of the work of other teams that previously went through that same path. And those responsible for that place have been the ones who raised the alarm last Monday, in the face of a problem that, as they confessed, has been open since June 2015. So quite possibly a good part of the apps developed since then, with portions pulled from that repository, may be potentially vulnerable. The way to do it was very simple: hackers could have placed malware and executed it within those resources that end up becoming applications for both iOS and iPadOs as well as Mac or tvOS. What could spread a threat quickly if it manages to sneak into one of the most popular applications of the Tim Cook App Store. From the company they put the example of Signal that, although it also uses that repository for its development, later the company does an audit job of each application package, to avoid problems and verify that there are no threats within its code. But when we talk about other companies that are not as punctilious with that control, that’s when the problems come. From Signal they have declared that their application “was not affected by this vulnerability” since “in general, we audit all our resources obtained from third parties both at the time of adding them and updating them. We keep our own copy of all of them to facilitate the audit and avoid unexpected changes, which can be found here. In addition, we did an additional analysis after learning about this vulnerability, to verify that the code in that repository matches the code in the labels of all our dependencies. ” From CocoaPods they do not know the extent of this problem, if hackers have managed to sneak malware into apps that are currently in the App Store or not, but they alert all developers to establish more controls to tackle any possible problem.