Security researchers at E.V.A Information Security Ltd. have detailed several vulnerabilities in the CocoaPod dependency manager used in MacOS and iOS applications that, although now patched, left Apple Inc. users exposed to hackers for about a decade.

CocoaPods is a dependency manager for Swift and Objective-C projects that simplifies the integration of third-party libraries into iOS and macOS apps. The manager automates the process of handling dependencies, ensuring that all libraries are compatible and up-to-date to streamline the development workflow.

The CocoaPods dependency manager is found in 100,000 libraries used in more than 3 million mobile apps and works similarly to NPM, Maven and PyPI. The manager uses checksumming and cryptographically signed packages to allow developers to verify the integrity and authenticity of the components they’re using.

The vulnerabilities allowed any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications.

An attacker using the vulnerabilities could have potentially infected almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage. One vulnerability detailed by E.V.A’s researchers could have also enabled zero-day or previously unknown attacks against secure infrastructure.

The CocoaPods team patched the vulnerabilities in the CocoaPods dependency manager after E.V.A researchers reported them to the open-source project earlier this year. The patches addressed the vulnerabilities, including the potential for remote code execution and the unauthorized claiming of unclaimed pods.

Although the risk associated with the vulnerabilities has been significantly reduced due to the deployed patches, developers who have used CocoaPods in recent years are being advised to verify the integrity of their open-source dependencies and to update their COCOAPODS_TRUNK_TOKEN to ensure security. It’s also recommended that developers undertake periodic reviews of dependency lists and security practices to prevent potential future exploits.

“Package managers serve an important role in making open-source software available. But they can also become central points of failures and hence require an added layer of vigilance,” the E.V.A researchers wrote in a blog post. “The CocoaPods team responded responsibly and swiftly to the vulnerabilities once disclosed. However, organizations must be aware of this potential attack surface and stay informed of the various package and dependency management tools used by developers.”

Image: E.V.A