More Web Proxy on the site http://driver.im/

research-article

Free access

iOS, your OS, everybody's OS: vetting and analyzing network services of iOS applications

AUTHORs:

Muhammad Ikram,

Haojin ZhuAuthors Info & Claims

SEC'20: Proceedings of the 29th USENIX Conference on Security Symposium

Article No.: 136, Pages 2415 - 2432

Published: 12 August 2020 Publication History

PDF eReader Publisher Site

Abstract

Smartphone applications that listen for network connections introduce significant security and privacy threats for users. In this paper, we focus on vetting and analyzing the security of iOS apps' network services. To this end, we develop an efficient and scalable iOS app collection tool to download 168,951 iOS apps in the wild. We investigate a set of 1,300 apps to understand the characteristics of network service vulnerabilities, confirming 11 vulnerabilities in popular apps, such as Waze, Now, and QQBrowser. From these vulnerabilities, we create signatures for a large-scale analysis of 168,951 iOS apps, which shows that the use of certain third-party libraries listening for remote connections is a common source of vulnerable network services in 92 apps. These vulnerabilities open up the iOS device to a host of possible attacks, including data leakage, remote command execution, and denial-of-service attacks. We have disclosed identified vulnerabilities and received acknowledgments from vendors.

References

[1]

Linux, sdk. for UPnP Devices (libupnp).

[2]

Wormhole. http://xlab.baidu.com/wp-content/uploads/2016/01/wormhole_external_final.pdf.

[3]

libupnp vulnerability. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libupnp.

[4]

How to fix apps with the portable SDK for UPnP library vulnerabilities. https://support.google.com/faqs/answer/6346109?hl=en-GB.

[5]

CVE-2018-6344. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6344.

[6]

Clutch. https://github.com/KJCracks/Clutch.

[7]

Cocoahttpserver. https://github.com/robbiehanson/CocoaHTTPServer.

[8]

Frida. https://www.frida.re/.

[9]

Dagger. http://dagger.repzret.org/.

[10]

dumpdecrypted. https://github.com/stefanesser/dumpdecrypted.

[11]

CVE-2019-14924. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14924.

[12]

libimobiledevice. https://github.com/libimobiledevice/ideviceinstaller.

[13]

iTunes search API. https://affiliate.itunes.apple.com/resources/documentation/itunes-store-web-service-search-api/.

[14]

jtool. http://www.newosxbook.com/tools/jtool.html.

[15]

Waze. https://www.waze.com/.

[16]

Weblink. https://www.abaltatech.com/press/weblink-fromabalta-technologies-brings-popular-waze-smartphone-app-into-the-connected-car.

[17]

CVE-2019-3568. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3568.

[18]

Dancing line. https://apps.apple.com/us/app/dancing-line-music-game/id1177953618.

[19]

Rules of survival. https://apps.apple.com/us/app/rules-of-survival/id130796175.

[20]

frida-ios-dump. https://github.com/AloneMonkey/frida-ios-dump.

[21]

L. O. Andersen. Program analysis and specialization for the C programming language. PhD thesis, University of Cophenhagen, 1994.

[22]

D. Antonioli, N. O. Tippenhauer, and K. Rasmussen. Nearby threats: Reversing, analyzing, and attacking Google's' 'nearby connections' on Android. In NDSS, 2019.

[23]

Make and receive calls on your Mac, iPad, or iPod touch. https://support.apple.com/en-hk/HT209456.

[24]

Objective-c runtime. https://developer.apple.com/documentation/objectivec/objective-c_runtime?language=objc.

[25]

Writing a TCP-based server. https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/UsingSocketsandSocketStreams.html#//apple_ref/doc/uid/CH73-SW8.

[26]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In ACM Sigplan Notices, 2014.

Digital Library

[27]

M. Backes, S. Bugiel, and E. Derr. Reliable third-party library detection in android and its security applications. In ACM CCS, 2016.

Digital Library

[28]

X. Bai, L. Xing, N. Zhang, X. Wang, X. Liao, T. Li, and S.-M. Hu. Discovering and exploiting novel security vulnerabilities in Apple zeroconf. In Black Hat USA, 2016.

[29]

B. S. Baker. On finding duplication and near-duplication in large software systems. In IEEE Working Conference on Reverse Engineering, 1995.

[30]

I. D. Baxter, A. Yahin, L. Moura, M. Sant'Anna, and L. Bier. Clone detection using abstract syntax trees. In IEEE ICSM, 1998.

[31]

R. Bonett, K. Kafle, K. Moran, A. Nadkarni, and D. Poshyvanyk. Discovering flaws in security-focused static analysis tools for Android using systematic mutation. In USENIX Security Symposium, 2018.

[32]

W. Bu, M. Xue, L. Xu, Y. Zhou, Z. Tang, and T. Xie. When program analysis meets mobile security: An industrial study of misusing Android Internet sockets. In ACM FSE, 2017.

Digital Library

[33]

K. Chen, X. Wang, Y. Chen, P. Wang, Y. Lee, X. Wang, B. Ma, A. Wang, Y. Zhang, and W. Zou. Following devil's footprints: Cross-platform analysis of potentially harmful libraries on Android and iOS. In IEEE S&P, 2016.

[34]

S. Chen, M. Xue, Z. Tang, L. Xu, and H. Zhu. Stormdroid: A streaminglized machine learning-based system for detecting Android malware. In ACM ASIACCS, 2016.

Digital Library

[35]

S. Chen, T. Su, L. Fan, G. Meng, M. Xue, Y. Liu, and L. Xu. Are mobile banking apps secure? What can be improved? In ACM ESEC/FSE, 2018.

Digital Library

[36]

S. Chen, M. Xue, L. Fan, S. Hao, L. Xu, H. Zhu, and B. Li. Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach. In Elsevier Computers & Security, 2018.

[37]

S. Chen, L. Fan, C. Chen, M. Xue, Y. Liu, and L. Xu. GUI-Squatting Attack: Automated generation of Android phishing apps. In IEEE TDSC, 2019.

[38]

S. Chen, L. Fan, G. Meng, T. Su, M. Xue, Y. Xue, Y. Liu, and L. Xu. An empirical assessment of security risks of global Android banking apps. In ACM/IEEE ICSE, 2020.

Digital Library

[39]

Y. Dang, R. Wu, H. Zhang, D. Zhang, and P. Nobel. ReBucket: A method for clustering duplicate crash reports based on call stack similarity. In IEEE ICSE, 2012.

[40]

L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-R. Sadeghi. MoCFI: A framework to mitigate controlflow attacks on smartphones. In NDSS, 2012.

[41]

Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu. iris: Vetting private API abuse in iOS applications. In ACM CCS, 2015.

Digital Library

[42]

L. Deshotels, R. Deaconescu, M. Chiroiu, L. Davi, W. Enck, and A.-R. Sadeghi. SandScout: Automatic detection of flaws in iOS sandbox profiles. In ACM CCS, 2016.

[43]

L. Deshotels, R. Deaconescu, C. Carabas, I. Manda, W. Enck, M. Chiroiu, N. Li, and A.-R. Sadeghi. iOracle: Automated evaluation of access control policies in iOS. In ACM AsiaCCS, 2018.

[44]

L. Deshotels, C. Carabas, J. Beichler, R. Deaconescu, and W. Enck. Kobold: Evaluating decentralized access control for remote NSXPC methods on iOS. In IEEE S&P, 2020.

[45]

Androguard. code.google.com/p/androguard.

[46]

Y. Duan, M. Zhang, A. V. Bhaskar, H. Yin, X. Pan, T. Li, X. Wang, and X. Wang. Things you may not know about Android (un) packers: A systematic study based on whole-system emulation. In NDSS, 2018.

[47]

M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in iOS applications. In NDSS, 2011.

[48]

J. Feichtner and C. Rabensteiner. Obfuscation-resilient code recognition in Android apps. In IEEE ARES, 2019.

Digital Library

[49]

J. Feichtner, D. Missmann, and R. Spreitzer. Automated binary analysis on iOS-a case study on cryptographic misuse in iOS applications. In ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2018.

Digital Library

[50]

C. Gormley and Z. Tong. Elasticsearch: The Definitive Guide: A Distributed Real-Time Search and Analytics Engine. "O'Reilly Media, Inc.", 2015.

Digital Library

[51]

B. Guangdong and Q. Zhang. 3G/4G Intranet scanning and its application on the wormhole vulnerability. 2017.

[52]

J. Han, J. Pei, and Y. Yin. Mining frequent patterns without candidate generation. In ACM Sigmod, 2000.

Digital Library

[53]

IDA Pro Disassembler and Debugger.

[54]

M. Ikram and M. A. Kaafar. A first look at mobile ad-blocking apps. In IEEE International Symposium on Network Computing and Applications, 2017.

[55]

Y. J. Jia, Q. A. Chen, Y. Lin, C. Kong, and Z. M. Mao. Open doors for Bob and Mallory: Open port usage in Android apps and security implications. In IEEE EuroS&P, 2017.

[56]

M. E. Joorabchi and A. Mesbah. Reverse engineering iOS mobile applications. In IEEE Working Conference on Reverse Engineering, 2012.

Digital Library

[57]

T. Kamiya, S. Kusumoto, and K. Inoue. CCFinder: A multilinguistic token-based code clone detection system for large scale source code. 2002.

[58]

D. Kennedy, J. O'gorman, D. Kearns, and M. Aharoni. Metasploit: The penetration tester's guide. No Starch Press, 2011.

[59]

J. T. Kent. Information gain and a general measure of correlation. 1983.

[60]

R. Komondoor and S. Horwitz. Using slicing to identify duplication in source code. In International Static Analysis Symposium. Springer, 2001.

[61]

A. Kurtz, A. Weinlein, C. Settgast, and F. Freiling. Dios: Dynamic privacy analysis of iOS applications. 2014.

[62]

Y. Lee, X. Wang, K. Lee, X. Liao, X. Wang, T. Li, and X. Mi. Understanding iOS-based crowdturfing through hidden UI analysis. In USENIX Security Symposium, 2019.

[63]

V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. In Soviet Physics Doklady, 1966.

[64]

H. Moore. Security flaws in universal plug and play: Unplug. don't play. 2013.

[65]

K. Moran, M. Linares-Vásquez, C. Bernal-Cárdenas, C. Vendome, and D. Poshyvanyk. Automatically discovering, reporting and reproducing Android application crashes. In IEEE ICST, 2016.

[66]

N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In ACM Sigplan Notices, 2007.

Digital Library

[67]

D. Orikogbo, M. Büchler, and M. Egele. CRiOS: Toward large-scale iOS application analysis. In ACM SPSM, 2016.

Digital Library

[68]

X. OS. Mach-O file format reference. 2009.

[69]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. In NDSS, 2014.

[70]

S. Rahaman, Y. Xiao, S. Afrose, F. Shaon, K. Tian, M. Frantz, M. Kantarcioglu, and D. D. Yao. Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects. In ACM CCS, 2019.

Digital Library

[71]

R. Rehurek and P. Sojka. Gensim-Python framework for vector space modelling. 2011.

[72]

L. SaurikIT. Cydia substrate, the powerful code modification platform behind Cydia. 2016.

[73]

D. H. Steinberg and S. Cheshire. Zero Configuration Networking: The Definitive Guide. " O'Reilly Media, Inc.", 2005.

[74]

M. Stute, S. Narain, A. Mariotto, A. Heinrich, D. Kreitschmann, G. Noubir, and M. Hollick. A billion open interfaces for Eve and Mallory: MitM, DoS, and tracking attacks on iOS and macOS through Apple wireless direct link. In USENIX Security Symposium, 2019.

[75]

M. Szydlowski, M. Egele, C. Kruegel, and G. Vigna. Challenges for dynamic analysis of iOS applications. In Open Problems in Network Security. Springer, 2012.

Digital Library

[76]

Z. Tang, M. Xue, G. Meng, C. Ying, Y. Liu, J. He, H. Zhu, and Y. Liu. Securing Android applications via edge assistant third-party library detection. 2018.

[77]

R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers. IBM Corp., 2010.

Digital Library

[78]

T. Wang, Y. Jang, Y. Chen, S. P. Chung, B. Lau, and W. Lee. On the feasibility of large-scale infections of iOS devices. In USENIX Security Symposium, 2014.

[79]

M. Y. Wong and D. Lie. Tackling runtime-based obfuscation in Android with TIRO. In USENIX Security Symposium, 2018.

[80]

D. Wu, D. Gao, R. K. Chang, E. He, E. K. Cheng, and R. H. Deng. Understanding open ports in Android applications: Discovery, diagnosis, and security assessment. In NDSS, 2019.

Cited By

Sun RWang WXue MTyson GCamtepe SRanasinghe D(2021)An Empirical Assessment of Global COVID-19 Contact Tracing ApplicationsProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00101(1085-1097)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00101

Index Terms

iOS, your OS, everybody's OS: vetting and analyzing network services of iOS applications

Index terms have been assigned to the content through auto-classification.

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'20: Proceedings of the 29th USENIX Conference on Security Symposium

August 2020

2809 pages

ISBN:978-1-939133-17-5

Program Chairss:
Srdjan Capkun
ETH Zurich
,
Franziska Roesner
University of Washington

Copyright © 2020.

Sponsors

Facebook
Microsoft
IBM
ByteDance
Google Inc.

Publisher

USENIX Association

United States

Publication History

Published: 12 August 2020

Qualifiers

Research-article

Acceptance Rates

Overall Acceptance Rate 40 of 100 submissions, 40%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
114
Total Downloads

Downloads (Last 12 months)76
Downloads (Last 6 weeks)16

Reflects downloads up to 07 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sun RWang WXue MTyson GCamtepe SRanasinghe D(2021)An Empirical Assessment of Global COVID-19 Contact Tracing ApplicationsProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00101(1085-1097)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00101

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents