ABSTRACT
With the booming sale of iOS devices, the number of iOS applications has increased significantly in recent years. To protect the security of iOS users, Apple requires every iOS application to go through a vetting process called App Review to detect uses of private APIs that provide access to sensitive user information. However, recent attacks have shown the feasibility of using private APIs without being detected during App Review. To counter such attacks, we propose a new iOS application vetting system, called iRiS, in this paper. iRiS first applies fast static analysis to resolve API calls. For those that cannot be statically resolved, iRiS uses a novel iterative dynamic analysis approach, which is slower but more powerful compared to static analysis. We have ported Valgrind to iOS and implemented a prototype of iRiS on top of it. We evaluated iRiS with 2019 applications from the official App Store. From these, iRiS identified 146 (7%) applications that use a total number of 150 different private APIs, including 25 security-critical APIs that access sensitive user information, such as device serial number. By analyzing iOS applications using iRiS, we also identified a suspicious advertisement service provider which collects user privacy information in its advertisement serving library. Our results show that, contrary to popular belief, a nontrivial number of iOS applications that violate Apple's terms of service exist in the App Store. iRiS is effective in detecting private API abuse missed by App Review.
- 9to5mac. Former apple employee discusses the app store review process. http://9to5mac.com/2012/07/04/former-apple-employee-discusses/.Google Scholar
- Apple. Asidentifiermanager class reference. https://developer.apple.com/library/ios/documentation/AdSupport/Reference/ASIdentifierManager_Ref/.Google Scholar
- Apple. ios developer program license agreement. http://www.thephoneappcompany.com/ios_program_standard_agreement_20130610.pdf.Google Scholar
- Apple. itunes preview. https://itunes.apple.com/cn/genre/ios/id36?mt=8.Google Scholar
- Apple. Nib files. https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/LoadingResources/CocoaNibs/CocoaNibs.html.Google Scholar
- F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX ATC'05. Google ScholarDigital Library
- D. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, 2004. Google ScholarDigital Library
- M. Bucicoiu, L. Davi, R. Deaconescu, and A.-R. Sadeghi. Xios: Extended application sandboxing on ios. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pages 43--54. ACM, 2015. Google ScholarDigital Library
- BusinessInsider. Apple has shipped 1 billion ios devices. http://www.businessinsider.com/apple-ships-one-billion-ios-devices-2015--1.Google Scholar
- L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-r. Sadeghi. Mocfi: A framework to mitigate control-flow attacks on smartphones. In In Proceedings of the Network and Distributed System Security Symposium (NDSS, 2012.Google Scholar
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.Google Scholar
- W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 2014. Google ScholarDigital Library
- S. Esser. dumpdecrypted. https://github.com/stefanesser/dumpdecrypted.Google Scholar
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 3--14. ACM, 2011. Google ScholarDigital Library
- J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on ios with approved third-party applications. In Applied Cryptography and Network Security, pages 272--289. Springer, 2013. Google ScholarDigital Library
- Hex-Rays. Ida pro. http://www.hex-rays.com/idapro/.Google Scholar
- R. Johnson and A. Stavrou. Forced-path execution for android applications on x86 platforms. In Software Security and Reliability-Companion (SERE-C), 2013 IEEE 7th International Conference on, pages 188--197. IEEE, 2013. Google ScholarDigital Library
- M. E. Joorabchi and A. Mesbah. Reverse engineering ios mobile applications. In Reverse Engineering (WCRE), 2012 19th Working Conference on, pages 177--186. IEEE, 2012. Google ScholarDigital Library
- J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, 1976. Google ScholarDigital Library
- A. Kurtz, A. Weinlein, C. Settgast, and F. Freiling. Dios: Dynamic privacy analysis of ios applications. Technical Report CS-2014-03, Department of Computer Science, Friedrich-Alexander-Universität Erlangen-N¸rnberg, June 2014.Google Scholar
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 229--240. ACM, 2012. Google ScholarDigital Library
- C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI'05. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation.Google Scholar
- S. Nygard. Class-dump. http://stevenygard.com/projects/class-dump/.Google Scholar
- F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, August 2014. Google ScholarDigital Library
- S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In NDSS'14.Google Scholar
- N. Seriot. ios runtime headers. https://github.com/nst/iOS-Runtime-Headers.Google Scholar
- Statista. Number of available apps in the apple app store. http://www.statista.com/statistics/263795/.Google Scholar
- M. Szydlowski, M. Egele, C. Kruegel, and G. Vigna. Challenges for dynamic analysis of ios applications. In Open Problems in Network Security, pages 65--77. Springer, 2012. Google ScholarDigital Library
- T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on ios: When benign apps become evil. In Usenix Security, volume 13, 2013. Google ScholarDigital Library
- Z. Wang, R. Johnson, R. Murmuria, and A. Stavrou. Exposing security risks for commercial mobile devices. In Computer Network Security, pages 3--21. Springer, 2012. Google ScholarDigital Library
- R. Watson, W. Morrison, C. Vance, and B. Feldman. The trustedbsd mac framework: Extensible kernel access control for freebsd 5.0. In USENIX Annual Technical Conference, FREENIX Track, pages 285--296, 2003.Google Scholar
- T. Werthmann, R. Hund, L. Davi, A.-R. Sadeghi, and T. Holz. Psios: bring your own privacy & security to ios devices. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 13--24. ACM, 2013. Google ScholarDigital Library
- Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, and B. Zang. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 611--622. ACM, 2013. Google ScholarDigital Library
- M. Zheng, H. Xue, Y. Zhang, T. Wei, and J. C. Lui. Enpublic apps: Security threats using ios enterprise and developer certificates. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pages 463--474. ACM, 2015. Google ScholarDigital Library
Index Terms
- iRiS: Vetting Private API Abuse in iOS Applications
Recommendations
XiOS: Extended Application Sandboxing on iOS
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityUntil very recently it was widely believed that iOS malware is effectively blocked by Apple's vetting process and application sandboxing. However, the newly presented severe malicious app attacks (e.g., Jekyll) succeeded to undermine these protection ...
Towards detecting device fingerprinting on iOS with API function hooking
EICC '23: Proceedings of the 2023 European Interdisciplinary Cybersecurity ConferenceDevice fingerprinting is a technique that got popular at the end of the 90s by websites, to identify and track users. One of the biggest drivers behind such practices are advertising companies to identify users interests to personalize ads. From a user’...
Cross-platform access-rights analysis of mobile applications
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and SystemsWe live in the era of mobile computing. Mobile devices have more sensors and more capabilities than desktop computers. For any computing device that contains sensitive information and accesses the Internet, security is a major concern for both ...
Comments