Python is a popular programming language used to build popular smartphone apps such as YouTube, Instagram, Reddit and Spotify. And a code repository is an archive (akin to a bank) of a programming language that is constantly updated by open source developers who work on various app projects.
GitHub, for instance, is used by developers to post, log and update their work, and distribute to fellow developers for licensing. The platform, owned by Microsoft, claims to currently have over 83 million developers and 200 million code repositories. Software developers around the world can access packages and scripts contributed by their counterparts and freely use them to develop new products.
According to Check Point, hackers target a script—a series of instructions—in the PyPI repository that handles the installation process of an app built on Python.
PyPI is simply a case in point. Security experts point out that thousands of malicious code snippets that have invaded public programming language repositories, are finding their way into public mobile applications— increasing the chances of security glitches and backdoors (a vulnerability in the code that hackers exploit) being installed in these apps.
The malicious code snippets run in the background, as a result of which it is not always noticed by developers. That is why big companies having their own apps have large teams working constantly to keep them secure, but independent developers have no such means, making them easy prey for hackers.
According to security firms, it is this nature of repositories that makes them vulnerable to security breaches.
Huzefa Motiwala, director of systems engineering for India and SAARC at US cyber security firm Palo Alto Networks asserted that such instances are commonplace.
“Most code repositories do not have a robust security screening and validation process, which allows cyber attackers to add malicious code snippets to popular repositories. There is also no way for small developers to edit their app’s code once an app is built using the unintended malicious scripts, and the only way for developers is to redo their project," Motiwala said.
Himanshu Kohli, an independent developer and computer science student at Carnegie Mellon University, who publishes his work on public code repository platform GitHub, said that most small-scale developers have blind faith in major repositories such as Python’s PyPI when it comes to filtering their code snippets for vulnerabilities.
“Most of us typically do not have the resources to independently vet security vulnerabilities," he said.
Ori Abramovsky, head of data science at SpectralOps, the research division of Check Point Research, said in an interview that the end-goal of the attack is to “make innocent software developers integrate their malicious code into apps that will eventually be executed on someone’s device."