Safeguard
Tag

ios-security

Safeguard articles tagged "ios-security" — guides, analysis, and best practices for software supply chain and application security.

16 articles

Application Security

Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns

Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.

Jul 8, 20265 min read
Security Guides

Swift and iOS Security Best Practices: Storage, Transport, and the Dependency Supply Chain

iOS gives you a hardware-backed Keychain, Data Protection, and App Transport Security. Most iOS app breaches come from switching those defaults off — and from unaudited SwiftPM dependencies.

Jul 3, 20266 min read
Application Security

iOS application security best practices

Concrete iOS app security controls—Keychain data protection, ATS, dependency vetting, and privacy manifests—grounded in real CVEs like CocoaPods 2024 and BLASTPASS.

Apr 29, 20267 min read
Software Supply Chain Security

CocoaPods supply chain security and Podfile.lock integrit...

A 2024 CocoaPods Trunk server flaw let attackers hijack orphaned pods and exposed a deeper gap: Podfile.lock never verified dependency integrity in the first place.

Jan 30, 20267 min read
Open Source Security

Swift Package Manager dependency resolution and pinning s...

SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.

Jan 30, 20266 min read
Software Supply Chain Security

iOS app supply chain risk from third-party SDKs and ad li...

Third-party SDKs and ad libraries run inside your iOS app with your app's permissions. Here's how ios sdk supply chain risk hides in plain sight — and what Safeguard does about it.

Jan 30, 20268 min read
Open Source Security

CocoaPods Trunk Server Remote Code Execution (CVE-2024-38...

CVE-2024-38366 exposed a critical remote code execution flaw in the CocoaPods trunk server, threatening the iOS dependency supply chain for years undetected.

Nov 29, 20257 min read
Open Source Security

CocoaPods Trunk Server Email Verification Bypass Enabling...

CVE-2024-38367 let attackers bypass email verification on the CocoaPods trunk server to take over pod owner accounts, threatening the iOS supply chain. Here's the impact and fix.

Nov 29, 20258 min read
Open Source Security

CocoaPods Orphaned Pod Takeover Vulnerability (CVE-2024-3...

CVE-2024-38368 let attackers claim orphaned CocoaPods and push malicious code into any iOS or macOS app still depending on them. Here is what to check.

Nov 29, 20258 min read
Open Source Security

CocoaPods trunk supply chain vulnerability report

Three CocoaPods trunk server flaws sat unpatched for a decade, exposing 1,866 orphaned pods to takeover. Here's what happened and how to defend your dependencies.

Nov 10, 20257 min read
Open Source Security

Swift Package Manager vulnerability trends

Typosquats, thin CVE coverage, and an executable manifest format: inside the Swift Package Manager vulnerability trends security teams can't ignore.

Nov 10, 20257 min read
Open Source Security

Malicious iOS SDKs and CocoaPods report

CocoaPods trunk server CVEs and the SourMint SDK scandal reveal how malicious iOS SDKs and pods slip past App Review for years.

Nov 10, 20257 min read
ios-security — Safeguard Blog