Launching Generic Attacks on iOS with Approved Third-Party Applications

iOS is Apple's mobile operating system, which is used on iPhone, iPad and iPod touch. Any third-party applications developed for iOS devices are required to go through Apple's application vetting process and appear on the official iTunes App Store upon approval. When an application is downloaded from the store and installed on an iOS device, it is given a limited set of privileges, which are enforced by iOS application sandbox. Although details of the vetting process and the sandbox are kept as black box by Apple, it was generally believed that these iOS security mechanisms are effective in defending against malwares. In this paper, we propose a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices. Following this generic attack mechanism, we are able to construct multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user's awareness. Our applications embedded with the attack codes have passed Apple's vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple's vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. We further provide corresponding mitigation strategies for both vetting and sandbox mechanisms, in order to defend against the proposed attack vector.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  Yuko Murayama,et al.  Future Challenges in Security and Privacy for Academia and Industry , 2011 .

[3]  Georgios Kambourakis,et al.  iSAM: An iPhone Stealth Airborne Malware , 2011, SEC.

[4]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[5]  Andre Egners,et al.  Hackers in Your Pocket: A Survey of Smartphone Security Across Platforms , 2012 .

[6]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[7]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[8]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[9]  Felix C. Freiling,et al.  Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[11]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[12]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[13]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[14]  Robert H. Deng,et al.  Comparing Mobile Privacy Protection through Cross-Platform Applications , 2013, NDSS.