Vulnerability In Popular iOS Dependency Manager May Pose Security Risk To Millions of Applications

CocoaPods has recently admitted to a vulnerability that could potentially cost thousands of iOS apps their own security.

CocoaPods, for those of our readers unfamiliar, is a dependency manager. Dependency managers, for further elaboration, essentially provide written code that is utilized by other developers or applications. App development's difficult work, and the more nuanced the application, the more arduous one's task list gets. Dependency managers allow developers to quickly deal with more basic assignments, and accordingly to narrow in and focus on more intricate details that require special attention. However, trusting dependency managers can come with its risks, as CocoaPods is about to prove in the coming sentences.

CocoaPods is rather well-known for actively working with apps that cater to the iOS market, a burgeoning field in its own right. With its first public release published in 2011 by Eloy Duran and a team of other developers working in conjunction, the dependency manager has provided code to millions of apps on the Apple Store, with its popularity and usage further skyrocketing in every subsequent year. 2021 may prove to be the exception, as apps such as Signal can testify to.

Signal is a messaging app that boasts privacy as one of its core features. It was also one of the apps being hailed as the new platform of messaging based social media along with Telegram when the WhatsApp policy fiasco was underway. Now, since Signal relies on CocoaPods as one of the multiple dependencies needed to structure its base code, the unexplained vulnerability could very much make one of the app's selling points null and void. For any Signal users reading this, we'd like to assure you by also explaining that Signal's code is only every published after extensive reviews, and any such vulnerabilities have most likely been expunged from the app.

Ultimately, while CocoaPods' developers have made the presence of this vulnerability public, if not its nature, they have also been quick at work patching up mistakes. CocoaPods' latest build has been swiftly published, with an update to the server side allowing apps relying on it as a dependency to no longer worry about security concerns. This does, however, still serve as a cautionary tale towards both over-reliance on third party dependencies as well as the importance of reviews and code audits.

Read next: A Set Of Apple Product Blueprints Are Being Held Ransom By A Group Of Online Hackers

Previous Post Next Post