[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2810103.2813675acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

iRiS: Vetting Private API Abuse in iOS Applications

Published: 12 October 2015 Publication History

Abstract

With the booming sale of iOS devices, the number of iOS applications has increased significantly in recent years. To protect the security of iOS users, Apple requires every iOS application to go through a vetting process called App Review to detect uses of private APIs that provide access to sensitive user information. However, recent attacks have shown the feasibility of using private APIs without being detected during App Review. To counter such attacks, we propose a new iOS application vetting system, called iRiS, in this paper. iRiS first applies fast static analysis to resolve API calls. For those that cannot be statically resolved, iRiS uses a novel iterative dynamic analysis approach, which is slower but more powerful compared to static analysis. We have ported Valgrind to iOS and implemented a prototype of iRiS on top of it. We evaluated iRiS with 2019 applications from the official App Store. From these, iRiS identified 146 (7%) applications that use a total number of 150 different private APIs, including 25 security-critical APIs that access sensitive user information, such as device serial number. By analyzing iOS applications using iRiS, we also identified a suspicious advertisement service provider which collects user privacy information in its advertisement serving library. Our results show that, contrary to popular belief, a nontrivial number of iOS applications that violate Apple's terms of service exist in the App Store. iRiS is effective in detecting private API abuse missed by App Review.

References

[1]
9to5mac. Former apple employee discusses the app store review process. http://9to5mac.com/2012/07/04/former-apple-employee-discusses/.
[2]
Apple. Asidentifiermanager class reference. https://developer.apple.com/library/ios/documentation/AdSupport/Reference/ASIdentifierManager_Ref/.
[3]
Apple. ios developer program license agreement. http://www.thephoneappcompany.com/ios_program_standard_agreement_20130610.pdf.
[4]
Apple. itunes preview. https://itunes.apple.com/cn/genre/ios/id36?mt=8.
[5]
Apple. Nib files. https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/LoadingResources/CocoaNibs/CocoaNibs.html.
[6]
F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX ATC'05.
[7]
D. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, 2004.
[8]
M. Bucicoiu, L. Davi, R. Deaconescu, and A.-R. Sadeghi. Xios: Extended application sandboxing on ios. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pages 43--54. ACM, 2015.
[9]
BusinessInsider. Apple has shipped 1 billion ios devices. http://www.businessinsider.com/apple-ships-one-billion-ios-devices-2015--1.
[10]
L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-r. Sadeghi. Mocfi: A framework to mitigate control-flow attacks on smartphones. In In Proceedings of the Network and Distributed System Security Symposium (NDSS, 2012.
[11]
M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.
[12]
W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 2014.
[13]
S. Esser. dumpdecrypted. https://github.com/stefanesser/dumpdecrypted.
[14]
A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 3--14. ACM, 2011.
[15]
J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on ios with approved third-party applications. In Applied Cryptography and Network Security, pages 272--289. Springer, 2013.
[16]
Hex-Rays. Ida pro. http://www.hex-rays.com/idapro/.
[17]
R. Johnson and A. Stavrou. Forced-path execution for android applications on x86 platforms. In Software Security and Reliability-Companion (SERE-C), 2013 IEEE 7th International Conference on, pages 188--197. IEEE, 2013.
[18]
M. E. Joorabchi and A. Mesbah. Reverse engineering ios mobile applications. In Reverse Engineering (WCRE), 2012 19th Working Conference on, pages 177--186. IEEE, 2012.
[19]
J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, 1976.
[20]
A. Kurtz, A. Weinlein, C. Settgast, and F. Freiling. Dios: Dynamic privacy analysis of ios applications. Technical Report CS-2014-03, Department of Computer Science, Friedrich-Alexander-Universität Erlangen-N¸rnberg, June 2014.
[21]
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 229--240. ACM, 2012.
[22]
C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI'05.
[23]
N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation.
[24]
S. Nygard. Class-dump. http://stevenygard.com/projects/class-dump/.
[25]
F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, August 2014.
[26]
S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In NDSS'14.
[27]
N. Seriot. ios runtime headers. https://github.com/nst/iOS-Runtime-Headers.
[28]
Statista. Number of available apps in the apple app store. http://www.statista.com/statistics/263795/.
[29]
M. Szydlowski, M. Egele, C. Kruegel, and G. Vigna. Challenges for dynamic analysis of ios applications. In Open Problems in Network Security, pages 65--77. Springer, 2012.
[30]
T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on ios: When benign apps become evil. In Usenix Security, volume 13, 2013.
[31]
Z. Wang, R. Johnson, R. Murmuria, and A. Stavrou. Exposing security risks for commercial mobile devices. In Computer Network Security, pages 3--21. Springer, 2012.
[32]
R. Watson, W. Morrison, C. Vance, and B. Feldman. The trustedbsd mac framework: Extensible kernel access control for freebsd 5.0. In USENIX Annual Technical Conference, FREENIX Track, pages 285--296, 2003.
[33]
T. Werthmann, R. Hund, L. Davi, A.-R. Sadeghi, and T. Holz. Psios: bring your own privacy & security to ios devices. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 13--24. ACM, 2013.
[34]
Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, and B. Zang. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 611--622. ACM, 2013.
[35]
M. Zheng, H. Xue, Y. Zhang, T. Wei, and J. C. Lui. Enpublic apps: Security threats using ios enterprise and developer certificates. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pages 463--474. ACM, 2015.

Cited By

View all
  • (2024) ARCTURUS: Full Coverage Binary Similarity Analysis with Reachability-guided EmulationACM Transactions on Software Engineering and Methodology10.1145/364033733:4(1-31)Online publication date: 11-Jan-2024
  • (2023)LalaineProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620299(1091-1108)Online publication date: 9-Aug-2023
  • (2023)CydiOS: A Model-Based Testing Framework for iOS AppsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598033(1-13)Online publication date: 12-Jul-2023
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
October 2015
1750 pages
ISBN:9781450338325
DOI:10.1145/2810103
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. application vetting
  2. binary instrumentation
  3. dynamic analysis
  4. forced execution
  5. iOS
  6. private API
  7. static analysis

Qualifiers

  • Research-article

Funding Sources

Conference

CCS'15
Sponsor:

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)29
  • Downloads (Last 6 weeks)6
Reflects downloads up to 19 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024) ARCTURUS: Full Coverage Binary Similarity Analysis with Reachability-guided EmulationACM Transactions on Software Engineering and Methodology10.1145/364033733:4(1-31)Online publication date: 11-Jan-2024
  • (2023)LalaineProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620299(1091-1108)Online publication date: 9-Aug-2023
  • (2023)CydiOS: A Model-Based Testing Framework for iOS AppsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598033(1-13)Online publication date: 12-Jul-2023
  • (2023)Towards detecting device fingerprinting on iOS with API function hookingProceedings of the 2023 European Interdisciplinary Cybersecurity Conference10.1145/3590777.3590790(78-84)Online publication date: 14-Jun-2023
  • (2023)Enabling Lightweight Privilege Separation in Applications with MicroGuardsApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_31(571-598)Online publication date: 4-Oct-2023
  • (2022)iService: Detecting and Evaluating the Impact of Confused Deputy Problem in AppleOSProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3568001(964-977)Online publication date: 5-Dec-2022
  • (2022)Hiding critical program components via ambiguous translationProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510139(1120-1132)Online publication date: 21-May-2022
  • (2022)Analyzing Ground-Truth Data of Mobile Gambling Scams2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833665(2176-2193)Online publication date: May-2022
  • (2021)Defeating Program Analysis Techniques via Ambiguous Translation2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE51524.2021.9678912(1382-1387)Online publication date: Nov-2021
  • (2020)iOS, your OS, everybody's OSProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489348(2415-2432)Online publication date: 12-Aug-2020
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media