- Security flaws in the CocoaPods dependency manager have been discovered, which could be exploited to launch supply chain attacks against Apple apps.
- While CocoaPods packages have been exposed for years, the bugs were patched in October 2023.
Recently, revelations about critical flaws in CocoaPods, a prominent dependency manager for Objective-C and Swift, have highlighted significant risks for applications on macOS and iOS devices. The vulnerabilities have exposed millions of applications to supply chain attacks, potentially hurting several Apple users.
The problem emerged when CocoaPods migrated to the Trunk server, leaving thousands of packages unclaimed. Attackers used public APIs to claim pods and an email address in the CocoaPods source code. The risk is significant as CocoaPods is used widely to manage third-party libraries in the development of macOS and iOS. Since it automates integration and resolution, it is a popular time-saving tool. However, these unclaimed packages were left exposed for nearly a decade.
The Trunk server is a key part of the CocoaPods infrastructure. It manages the distribution and hosting of files for CocoaPods libraries. It is…
