Min Zheng
John C.S. Lui
ABSTRACT
Compared with Android, the conventional wisdom is that iOS is more secure. However, both jailbroken and non-jailbroken iOS devices have number of vulnerabilities. For iOS, apps need to interact with the underlying system using Application Programming Interfaces (APIs). Some of these APIs remain undocumented and Apple forbids apps in App Store from using them. These APIs, also known as "private APIs", provide powerful features to developers and yet they may have serious security consequences if misused. Furthermore, apps which use private APIs can bypass the App Store and use the "Apple's Enterprise/Developer Certificates" for distribution. This poses a significant threat to the iOS ecosystem. So far, there is no formal study to understand these apps and how private APIs are being encapsulated. We call these iOS apps which distribute to the public using enterprise certificates as "enpublic" apps. In this paper, we present the design and implementation of iAnalytics, which can automatically analyze "enpublic" apps' private API usages and vulnerabilities. Using iAnalytics, we crawled and analyzed 1,408 enpublic iOS apps. We discovered that: 844 (60%) out of the 1408 apps do use private APIs, 14 (1%) apps contain URL scheme vulnerabilities, 901 (64%) enpublic apps transport sensitive information through unencrypted channel or store the information in plaintext on the phone. In addition, we summarized 25 private APIs which are crucial and security sensitive on iOS 6/7/8, and we have filed one CVE (Common Vulnerabilities and Exposures) for iOS devices.
- API Reference of iOS Frameworks, 2014. https://developer.apple.com/library/ios/navigation/#section=Resource%20Types&topic=Reference.Google Scholar
- App store review guidelines. https://developer.apple.com/appstore/resources/approval/guidelines.html.Google Scholar
- Apple Bans Qihoo Apps From iTunes App Store, February, 2012. http://www.techinasia.com/apple-bans-qihoo-apps/.Google Scholar
- Apple, Creating Jobs Through Innovation, 2012. http://www.apple.com/about/job-creation/.Google Scholar
- CCTool. http://www.opensource.apple.com/source/cctools.Google Scholar
- Choosing an iOS Developer Program, 2014. https://developer.apple.com/programs/start/ios/.Google Scholar
- Class-dump. http://stevenygard.com/projects/class-dump.Google Scholar
- CVE-2014-1276 IOKit HID Event, 2014. http://support.apple.com/en-us/HT202935.Google Scholar
- Cydia Substrate. http://www.cydiasubstrate.com.Google Scholar
- Evad3rs, evasi0n jailbreaking tool, 2013. http://evasi0n.com/.Google Scholar
- How Apple's Enterprise Distribution Program was abused to enable the installation of a GameBoy emulator, 2014. http://www.imore.com/how-gameboy-emulator-finding-its-way-non-jailbroken-devices.Google Scholar
- How Many Apps Are in the iPhone App Store. http://ipod.about.com/od/iphonesoftwareterms/qt/apps-in-app-store.htm.Google Scholar
- iOS Dev Center. https://developer.apple.com/devcenter/ios/index.action.Google Scholar
- iOS Dev Center, 2014. https://developer.apple.com/devcenter/ios/index.action.Google Scholar
- Java Reflection. http://docs.oracle.com/javase/tutorial/reflect/.Google Scholar
- Kuai Yong iOS device management, 2014. http://www.kuaiyong.com/eg_web/index.html.Google Scholar
- Libimobiledevice: A cross-platform software protocol library and tools to communicate with iOS devices natively, 2014. http://www.libimobiledevice.org/.Google Scholar
- OS X ABI Mach-O File Format Reference. https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html.Google Scholar
- Pangu Jailbreak, 2014. http://pangu.io/.Google Scholar
- Qihoo Double Blow as iOS Apps Banned by Apple, China Warns of Anti-Competitive Practices, January, 2013. http://www.techinasia.com/qihoo-apps-banned-apple-app-store/.Google Scholar
- Tim Cook to shareholders: iPhone 5s/c outpace predecessors, Apple bought 23 companies in 16 months. http://appleinsider.com/articles/14/02/28/tim-cook-at-shareholder-meeting-iphone-5s-5c-outpace-predecessors-apple-bought-23-companies-in-16-months.Google Scholar
- Using Identifiers in Your Apps, 2013. https://developer.apple.com/news/index.php?id=3212013a.Google Scholar
- Vulnerability Summary for CVE-2014-4423, 2014. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4423.Google Scholar
- When Malware Goes Mobile. http://www.sophos.com/en-us/security-news-trends/security-trends/malware-goes-mobile/why-ios-is-safer-than-android.aspx.Google Scholar
- D. Chell. iOS Application (In)Security. 2012.Google Scholar
- D. Goldman. Jailbreaking iphone apps is now legal. CNN Money. Retrieved, pages 09--11, 2010.Google Scholar
- J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on ios with approved third-party applications. In Applied Cryptography and Network Security, pages 272--289. Springer, 2013. Google ScholarDigital Library
- Y. Jang, T. Wang, B. Lee, and B. Lau. Exploiting unpatched ios vulnerabilities for fun and profit. In Proceedings of the Black Hat USA Briefings, Las Vegas, NV, August 2014.Google Scholar
- B. Lau, Y. Jang, C. Song, T. Wang, P. H. Chung, and P. Royal. Injecting malware into ios devices via malicious chargers. In Proceedings of the Black Hat USA Briefings, Las Vegas, NV, August 2013.Google Scholar
- C. Miller. Inside ios code signing. In Proceedings of Symposium on SyScan, 2011.Google Scholar
- C. Miller, D. Blazakis, D. DaiZovi, S. Esser, V. Iozzo, and R.-P. Weinmann. IOS Hacker's Handbook. John Wiley & Sons, 2012. Google ScholarDigital Library
- F. A. Porter, F. Matthew, C. Erika, H. Steve, and W. David. A survey of mobile malware in the wild. In Proceedings of the 1st ACM SPSM. ACM, 2011. Google ScholarDigital Library
- E. Smith. iphone applications & privacy issues: An analysis of application transmission of iphone unique device identifiers (udids). 2010.Google Scholar
- W. Tielei, J. Yeongjin, C. Yizheng, C. Simon, L. Billy, and L. Wenke. On the feasibility of large-scale infections of ios devices. In Proceedings of the 23rd USENIX conference on Security Symposium, pages 79--93. USENIX Association, 2014. Google ScholarDigital Library
- T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on ios: when benign apps become evil. In Presented as part of the 22nd USENIX Security Symposium, pages 559--572, 2013. Google ScholarDigital Library
- C. Xiao. Wirelurker: A new era in ios and os x malware. 2014.Google Scholar
Index Terms
- Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates
Recommendations
Mining and characterizing hybrid apps
WAMA 2016: Proceedings of the International Workshop on App Market AnalyticsMobile apps have grown tremendously over the past few years. To capitalize on this growth and to attract more users, implementing the same mobile app for different platforms has become a common industry practice. Building the same app natively for each ...
Code smells in iOS apps: how do they compare to Android?
MOBILESoft '17: Proceedings of the 4th International Conference on Mobile Software Engineering and SystemsWith billions of app downloads, the Apple App Store and Google Play Store succeeded to conquer mobile devices. However, this success also challenges app developers to publish high-quality apps to keep attracting and satisfying end-users. In particular, ...
A First Look at On-device Models in iOS Apps
Powered by the rising popularity of deep learning techniques on smartphones, on-device deep learning models are being used in vital fields such as finance, social media, and driving assistance. Because of the transparency of the Android platform and the ...
Comments