skip to main content
10.1145/2714576.2714593acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates

Published: 14 April 2015 Publication History

Abstract

Compared with Android, the conventional wisdom is that iOS is more secure. However, both jailbroken and non-jailbroken iOS devices have number of vulnerabilities. For iOS, apps need to interact with the underlying system using Application Programming Interfaces (APIs). Some of these APIs remain undocumented and Apple forbids apps in App Store from using them. These APIs, also known as "private APIs", provide powerful features to developers and yet they may have serious security consequences if misused. Furthermore, apps which use private APIs can bypass the App Store and use the "Apple's Enterprise/Developer Certificates" for distribution. This poses a significant threat to the iOS ecosystem. So far, there is no formal study to understand these apps and how private APIs are being encapsulated. We call these iOS apps which distribute to the public using enterprise certificates as "enpublic" apps. In this paper, we present the design and implementation of iAnalytics, which can automatically analyze "enpublic" apps' private API usages and vulnerabilities. Using iAnalytics, we crawled and analyzed 1,408 enpublic iOS apps. We discovered that: 844 (60%) out of the 1408 apps do use private APIs, 14 (1%) apps contain URL scheme vulnerabilities, 901 (64%) enpublic apps transport sensitive information through unencrypted channel or store the information in plaintext on the phone. In addition, we summarized 25 private APIs which are crucial and security sensitive on iOS 6/7/8, and we have filed one CVE (Common Vulnerabilities and Exposures) for iOS devices.

References

[1]
API Reference of iOS Frameworks, 2014. https://developer.apple.com/library/ios/navigation/#section=Resource%20Types&topic=Reference.
[2]
App store review guidelines. https://developer.apple.com/appstore/resources/approval/guidelines.html.
[3]
Apple Bans Qihoo Apps From iTunes App Store, February, 2012. http://www.techinasia.com/apple-bans-qihoo-apps/.
[4]
Apple, Creating Jobs Through Innovation, 2012. http://www.apple.com/about/job-creation/.
[5]
CCTool. http://www.opensource.apple.com/source/cctools.
[6]
Choosing an iOS Developer Program, 2014. https://developer.apple.com/programs/start/ios/.
[7]
Class-dump. http://stevenygard.com/projects/class-dump.
[8]
CVE-2014-1276 IOKit HID Event, 2014. http://support.apple.com/en-us/HT202935.
[9]
Cydia Substrate. http://www.cydiasubstrate.com.
[10]
Evad3rs, evasi0n jailbreaking tool, 2013. http://evasi0n.com/.
[11]
How Apple's Enterprise Distribution Program was abused to enable the installation of a GameBoy emulator, 2014. http://www.imore.com/how-gameboy-emulator-finding-its-way-non-jailbroken-devices.
[12]
How Many Apps Are in the iPhone App Store. http://ipod.about.com/od/iphonesoftwareterms/qt/apps-in-app-store.htm.
[13]
iOS Dev Center. https://developer.apple.com/devcenter/ios/index.action.
[14]
iOS Dev Center, 2014. https://developer.apple.com/devcenter/ios/index.action.
[15]
Java Reflection. http://docs.oracle.com/javase/tutorial/reflect/.
[16]
Kuai Yong iOS device management, 2014. http://www.kuaiyong.com/eg_web/index.html.
[17]
Libimobiledevice: A cross-platform software protocol library and tools to communicate with iOS devices natively, 2014. http://www.libimobiledevice.org/.
[18]
OS X ABI Mach-O File Format Reference. https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html.
[19]
Pangu Jailbreak, 2014. http://pangu.io/.
[20]
Qihoo Double Blow as iOS Apps Banned by Apple, China Warns of Anti-Competitive Practices, January, 2013. http://www.techinasia.com/qihoo-apps-banned-apple-app-store/.
[21]
Tim Cook to shareholders: iPhone 5s/c outpace predecessors, Apple bought 23 companies in 16 months. http://appleinsider.com/articles/14/02/28/tim-cook-at-shareholder-meeting-iphone-5s-5c-outpace-predecessors-apple-bought-23-companies-in-16-months.
[22]
Using Identifiers in Your Apps, 2013. https://developer.apple.com/news/index.php?id=3212013a.
[23]
Vulnerability Summary for CVE-2014-4423, 2014. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4423.
[24]
When Malware Goes Mobile. http://www.sophos.com/en-us/security-news-trends/security-trends/malware-goes-mobile/why-ios-is-safer-than-android.aspx.
[25]
D. Chell. iOS Application (In)Security. 2012.
[26]
D. Goldman. Jailbreaking iphone apps is now legal. CNN Money. Retrieved, pages 09--11, 2010.
[27]
J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on ios with approved third-party applications. In Applied Cryptography and Network Security, pages 272--289. Springer, 2013.
[28]
Y. Jang, T. Wang, B. Lee, and B. Lau. Exploiting unpatched ios vulnerabilities for fun and profit. In Proceedings of the Black Hat USA Briefings, Las Vegas, NV, August 2014.
[29]
B. Lau, Y. Jang, C. Song, T. Wang, P. H. Chung, and P. Royal. Injecting malware into ios devices via malicious chargers. In Proceedings of the Black Hat USA Briefings, Las Vegas, NV, August 2013.
[30]
C. Miller. Inside ios code signing. In Proceedings of Symposium on SyScan, 2011.
[31]
C. Miller, D. Blazakis, D. DaiZovi, S. Esser, V. Iozzo, and R.-P. Weinmann. IOS Hacker's Handbook. John Wiley & Sons, 2012.
[32]
F. A. Porter, F. Matthew, C. Erika, H. Steve, and W. David. A survey of mobile malware in the wild. In Proceedings of the 1st ACM SPSM. ACM, 2011.
[33]
E. Smith. iphone applications & privacy issues: An analysis of application transmission of iphone unique device identifiers (udids). 2010.
[34]
W. Tielei, J. Yeongjin, C. Yizheng, C. Simon, L. Billy, and L. Wenke. On the feasibility of large-scale infections of ios devices. In Proceedings of the 23rd USENIX conference on Security Symposium, pages 79--93. USENIX Association, 2014.
[35]
T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on ios: when benign apps become evil. In Presented as part of the 22nd USENIX Security Symposium, pages 559--572, 2013.
[36]
C. Xiao. Wirelurker: A new era in ios and os x malware. 2014.

Cited By

View all
  • (2021)The Traditional Influence on Increasing Acceptance of Commercial Smartphone Applications in Specific Regions of the Arabic WorldComplexity10.1155/2021/43367722021(1-16)Online publication date: 8-Dec-2021
  • (2019)Large-Scale Analysis of Pop-Up Scam on Typosquatting URLsProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340332(1-9)Online publication date: 26-Aug-2019
  • (2019)ChanDet: Detection Model for Potential Channel of iOS ApplicationsJournal of Physics: Conference Series10.1088/1742-6596/1187/4/0420451187:4(042045)Online publication date: 8-May-2019
  • Show More Cited By

Index Terms

  1. Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
      April 2015
      698 pages
      ISBN:9781450332453
      DOI:10.1145/2714576
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 14 April 2015

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. enterprise certificate
      2. ios
      3. private apis

      Qualifiers

      • Research-article

      Conference

      ASIA CCS '15
      Sponsor:
      ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
      April 14 - March 17, 2015
      Singapore, Republic of Singapore

      Acceptance Rates

      Overall Acceptance Rate 160 of 921 submissions, 17%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)12
      • Downloads (Last 6 weeks)3
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2021)The Traditional Influence on Increasing Acceptance of Commercial Smartphone Applications in Specific Regions of the Arabic WorldComplexity10.1155/2021/43367722021(1-16)Online publication date: 8-Dec-2021
      • (2019)Large-Scale Analysis of Pop-Up Scam on Typosquatting URLsProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340332(1-9)Online publication date: 26-Aug-2019
      • (2019)ChanDet: Detection Model for Potential Channel of iOS ApplicationsJournal of Physics: Conference Series10.1088/1742-6596/1187/4/0420451187:4(042045)Online publication date: 8-May-2019
      • (2018)Automated Binary Analysis on iOSProceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks10.1145/3212480.3212487(236-247)Online publication date: 18-Jun-2018
      • (2016)The Far Side of Mobile Application Integrated Development EnvironmentsTrust, Privacy and Security in Digital Business10.1007/978-3-319-44341-6_8(111-122)Online publication date: 6-Aug-2016
      • (2015)iRiSProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813675(44-56)Online publication date: 12-Oct-2015

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media