E.V.A Information Security researchers uncovered several vulnerabilities in the CocoaPods dependency manager that allows any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications. These vulnerabilities have since been patched.
Such an attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage. One of the vulnerabilities could also enable zero day attacks against the most advanced and secure organizations’ infrastructure.
Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code.
Dependency managers are an often-overlooked aspect of software supply chain security. Security leaders should explore ways to increase governance and oversight over the use these tools.
