Re: Orphaned CodoPods are found in Apple software

On 08/07/2024 21:58, Wolf Greenblatt wrote:

On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:
 

Probably very true. All I know is researchers found a flaw in millions of
mac/iOS apps and Apple didn't find that same flaw even after a decade.

>
The point that's being missed is that no-one else spotted it either.
Despite existing for so long it was never exploited.

 Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
even care to think about backing up their own claims of safety & security.
 

This was specifically an error on the side of the people managing the
CocoaPods library. They should not have left orphan accounts open
indefinitely.

 It's worse than that because ANYONE (yes, even you and me) could have
injected code into those apps for a decade without Apple caring about it.

You could say the same about any currently unknown, but existing, vulnerability available in any software. Do Google, Microsoft, etc also not care about those?
Doesn't the fact that it was there undiscovered for ten years tell you that it was far from trivial.

>

Shouldn't Apple care that millions of mac/iOS apps are vulnerable?

>
*were* vulnerable. It was fixed last year. It has only been reported
recently for obvious reasons.

 It was fixed but Apple didn't even know about it until someone told them
that anyone (yes, even you and me) could have injected code into any of
three million macOS/iOS apps for over a decade because Apple didn't care.

Apple didn't know because 1) it wasn't their software, 2) NO ONE knew.
You're using the benefit of hindsight to claim that something was easy to do.
Why don't you pick a commonly used library in Windows development and see how far you get in injecting code into the Microsoft App Store? Please keep us up to date on progress.