This study systematically investigates supply chain security risks in the three major iOS dependency managers—CocoaPods, Carthage, and Swift Package Manager—revealing vulnerabilities such as dependency metadata leakage, malicious registration of undeclared dependencies, and hijacking of abandoned domains or repositories, which can lead to remote code execution and dependency confusion attacks. By constructing dependency graphs, tracking the lifecycle of domains and GitHub repositories, extracting static metadata, and analyzing a large-scale dataset of applications and open-source projects, the work quantifies the widespread impact of these threats in the iOS ecosystem for the first time: sensitive information was exposed in 9,212 apps, and a single compromised CocoaPod library could affect 63 applications and millions of users. The findings underscore that iOS dependency management mechanisms lag significantly behind ecosystems like Cargo and npm in security, prompting the proposal of cross-platform mitigation strategies.

Dependency management systems are a critical component in software development, enabling projects to incorporate existing functionality efficiently. However, misconfigurations and malicious actors in these systems pose severe security risks, leading to supply chain attacks. Despite the widespread use of smartphone apps, the security of dependency management systems in the iOS software supply chain has received limited attention. In this paper, we focus on CocoaPods, one of the most widely used dependency management systems for iOS app development, but also examine the security of Carthage and Swift Package Manager (SwiftPM). We demonstrate that iOS apps expose internal package names and versions. Attackers can exploit this leakage to register previously unclaimed dependencies in CocoaPods, enabling remote code execution (RCE) on developer machines and build servers. Additionally, we show that attackers can compromise dependencies by reclaiming abandoned domains and GitHub URLs. Analyzing a dataset of 9,212 apps, we quantify how many apps are susceptible to these vulnerabilities. Further, we inspect the use of vulnerable dependencies within public GitHub repositories. Our findings reveal that popular apps disclose internal dependency information, enabling dependency confusion attacks. Furthermore, we show that hijacking a single CocoaPod library through an abandoned domain could compromise 63 iOS apps, affecting millions of users. Finally, we compare iOS dependency management systems with Cargo, Go modules, Maven, npm, and pip to discuss mitigation strategies for the identified threats.