iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications

Cryptography is the common means to achieve strong data protection in mobile applications. However, cryptographic misuse is becoming one of the most common issues in development. Attackers usually make use of those flaws in implementation such as non-random key/IV to forge exploits and recover the valuable secrets. For the application developers who may lack knowledge of cryptography, it is urgent to provide an efficient and effective approach to assess whether the application can fulfill the security goal by the use of cryptographic functions. In this work, we design a cryptography diagnosis system iCryptoTracer. Combined with static and dynamic analyses, it traces the iOS application’s usage of cryptographic APIs, extracts the trace log and judges whether the application complies with the generic cryptographic rules along with real-world implementation concerns. We test iCryptoTracer using real devices with various version of iOS. We diagnose 98 applications from Apple App Store and find that 64 of which contain various degrees of security flaws caused by cryptographic misuse. To provide the proof-of-concept, we launch ethical attacks on two applications respectively. The encrypted secret information can be easily revealed and the encryption keys can also be restored.

[1]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[2]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[3]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[4]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[5]  Christopher Krügel,et al.  Challenges for Dynamic Analysis of iOS Applications , 2011, iNetSeC.

[6]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[7]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[8]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[9]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[10]  Robert H. Deng,et al.  Comparing Mobile Privacy Protection through Cross-Platform Applications , 2013, NDSS.

[11]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Dogan Kesdogan,et al.  Open Problems in Network Security , 2015, Lecture Notes in Computer Science.

[13]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[14]  Robert H. Deng,et al.  Launching Generic Attacks on iOS with Approved Third-Party Applications , 2013, ACNS.