Supply Chain Insecurity: Exposing Vulnerabilities in iOS Dependency Management Systems

TL;DR

This paper uncovers security vulnerabilities in iOS dependency management systems, especially CocoaPods, revealing how attackers can exploit information leakage and abandoned domains to compromise apps and developer environments.

Contribution

It provides a detailed analysis of security flaws in CocoaPods, Carthage, and SwiftPM, and quantifies their impact on iOS app security through empirical data.

Findings

Internal package info leaks enable dependency confusion attacks

Hijacking abandoned domains can compromise multiple apps

Vulnerabilities affect millions of iOS users

Abstract

Dependency management systems are a critical component in software development, enabling projects to incorporate existing functionality efficiently. However, misconfigurations and malicious actors in these systems pose severe security risks, leading to supply chain attacks. Despite the widespread use of smartphone apps, the security of dependency management systems in the iOS software supply chain has received limited attention. In this paper, we focus on CocoaPods, one of the most widely used dependency management systems for iOS app development, but also examine the security of Carthage and Swift Package Manager (SwiftPM). We demonstrate that iOS apps expose internal package names and versions. Attackers can exploit this leakage to register previously unclaimed dependencies in CocoaPods, enabling remote code execution (RCE) on developer machines and build servers. Additionally, we show that attackers can compromise dependencies by reclaiming abandoned domains and GitHub URLs. Analyzing a dataset of 9,212 apps, we quantify how many apps are susceptible to these vulnerabilities. Further, we inspect the use of vulnerable dependencies within public GitHub repositories. Our findings reveal that popular apps disclose internal dependency information, enabling dependency confusion attacks. Furthermore, we show that hijacking a single CocoaPod library through an abandoned domain could compromise 63 iOS apps, affecting millions of users. Finally, we compare iOS dependency management systems with Cargo, Go modules, Maven, npm, and pip to discuss mitigation strategies for the identified threats.