The security of millions of iOS apps could have been compromised due to a security vulnerability in the popular dependency manager CocoaPods.

Software developers often rely on code written by other companies or developers in order to speed up the development of their products. To facilitate the management of code from other sources — known as dependencies — developers use a tool called a dependency manager. The same is true when developing for Apple’s platforms, and the most popular dependency manager for iOS apps by far is CocoaPods.

This past Monday, the maintainers of the project released a statement uncovering a security issue that’s been recently discovered and was present in the software since June 2015, giving attackers plenty of time to potentially exploit it.

The problem was that a maliciously crafted package that’s published to the CocoaPods repository could run arbitrary code on the servers that manage it. This could be used to replace existing packages by malicious versions with code that could end up shipping in iOS and Mac apps used by millions of people worldwide.

An example of a popular app that uses CocoaPods is Signal, a privacy-focused messaging app. A carefully planned attack against one of the dependencies used by Signal could potentially expose user data. This is an unlikely scenario, given that the dependencies used by Signal are audited by the app’s development team, ensuring that no dependency includes malicious code or security issues. However, not all developers have this practice when working with dependencies.

In response to a request for comment, Signal has provided the following statement:

Signal was not affected by this vulnerability. In general, we audit all of our third party dependencies both at the time of adding them as well as when updating them. We keep our own copy of all these dependencies to make it easy to audit as well as to prevent unexpected changes, which can be found here. In addition, we did an extra audit after hearing about this vulnerability to verify that the code in that repo matches that code at the tags for all of our dependencies.

There is no evidence that the vulnerability has been exploited, and it has now been fixed server-side, so developers and users don’t need to take any action. The only developers affected by the fix will be the ones who publish their own packages to CocoaPods, since their authentication tokens have been reset just in case they may have been exposed through the flaw.

For developers who use CocoaPods, or any developers who work with dependency managers, this serves as a reminder that dependency managers and the dependencies they provide should not be inherently trusted.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Guilherme Rambo

I solve Apple’s mysteries for @9to5mac.