Dependency management systems are a critical component in software development, enabling projects to incorporate existing functionality efficiently. However, misconfigurations and malicious actors in these systems pose severe security risks, leading to supply chain attacks. Despite the widespread use of smartphone apps, the security of dependency management systems in the iOS software supply chain has received limited attention. In this paper, we focus on CocoaPods, one of the most widely used dependency management systems for iOS app development, but also examine the security of Carthage and Swift Package Manager (SwiftPM). We demonstrate that iOS apps expose internal package names and versions. Attackers can exploit this leakage to register previously unclaimed dependencies in CocoaPods, enabling remote code execution (RCE) on developer machines and build servers. Additionally, we show that attackers can compromise dependencies by reclaiming abandoned domains and GitHub URLs. Analyzing a dataset of 9,212 apps, we quantify how many apps are susceptible to these vulnerabilities. Further, we inspect the use of vulnerable dependencies within public GitHub repositories. Our findings reveal that popular apps disclose internal dependency information, enabling dependency confusion attacks. Furthermore, we show that hijacking a single CocoaPod library through an abandoned domain could compromise 63 iOS apps, affecting millions of users. Finally, we compare iOS dependency management systems with Cargo, Go modules, Maven, npm, and pip to discuss mitigation strategies for the identified threats.

翻译：依赖管理系统是软件开发中的关键组成部分，使项目能够高效整合现有功能。然而，这些系统中的配置错误和恶意行为者构成了严重的安全风险，导致供应链攻击。尽管智能手机应用广泛使用，但iOS软件供应链中依赖管理系统的安全性却未得到充分关注。本文聚焦于CocoaPods（iOS应用开发中最广泛使用的依赖管理系统之一），同时考察了Carthage和Swift Package Manager（SwiftPM）的安全性。我们证明iOS应用会暴露内部包名称和版本。攻击者可利用此泄漏在CocoaPods中注册先前未被声明的依赖项，从而在开发机器和构建服务器上实现远程代码执行（RCE）。此外，我们证明攻击者可通过回收废弃域名和GitHub URL来劫持依赖项。通过分析9,212个应用的数据集，我们量化了易受这些漏洞影响的应用数量。进一步地，我们检查了公共GitHub仓库中易受攻击依赖项的使用情况。研究结果表明，热门应用会泄露内部依赖信息，使得依赖混淆攻击成为可能。此外，我们证明通过废弃域名劫持单个CocoaPod库可能危及63个iOS应用，影响数百万用户。最后，我们将iOS依赖管理系统与Cargo、Go模块、Maven、npm和pip进行比较，以讨论针对已识别威胁的缓解策略。