iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications

Smartphone applications that listen for network connections introduce significant security and privacy threats for users. In this paper, we focus on vetting and analyzing the security of iOS apps’ network services. To this end, we develop an efficient and scalable iOS app collection tool to download 168,951 iOS apps in the wild. We investigate a set of 1,300 apps to understand the characteristics of network service vulnerabilities, confirming 11 vulnerabilities in popular apps, such as Waze, Now, and QQBrowser. From these vulnerabilities, we create signatures for a large-scale analysis of 168,951 iOS apps, which shows that the use of certain third-party libraries listening for remote connections is a common source of vulnerable network services in 92 apps. These vulnerabilities open up the iOS device to a host of possible attacks, including data leakage, remote command execution, and denial-of-service attacks. We have disclosed identified vulnerabilities and received acknowledgments from vendors.

[1]  Matthias Büchler,et al.  CRiOS: Toward Large-Scale iOS Application Analysis , 2016, SPSM@CCS.

[2]  Ninghui Li,et al.  iOracle: Automated Evaluation of Access Control Policies in iOS , 2018, AsiaCCS.

[3]  J. Kent Information gain and a general measure of correlation , 1983 .

[4]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[5]  Johannes Feichtner,et al.  Obfuscation-Resilient Code Recognition in Android Apps , 2019, ARES.

[6]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[7]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[8]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[9]  Yizheng Chen,et al.  On the Feasibility of Large-Scale Infections of iOS Devices , 2014, USENIX Security Symposium.

[10]  Nils Ole Tippenhauer,et al.  Nearby Threats: Reversing, Analyzing, and Attacking Google's 'Nearby Connections' on Android , 2019, NDSS.

[11]  Brenda S. Baker,et al.  On finding duplication and near-duplication in large software systems , 1995, Proceedings of 2nd Working Conference on Reverse Engineering.

[12]  Susan Horwitz,et al.  Using Slicing to Identify Duplication in Source Code , 2001, SAS.

[13]  Yajin Zhou,et al.  When program analysis meets mobile security: an industrial study of misusing Android internet sockets , 2017, ESEC/SIGSOFT FSE.

[14]  Shinji Kusumoto,et al.  CCFinder: A Multilinguistic Token-Based Code Clone Detection System for Large Scale Source Code , 2002, IEEE Trans. Software Eng..

[15]  Minhui Xue,et al.  StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware , 2016, AsiaCCS.

[16]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[17]  Murat Kantarcioglu,et al.  CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects , 2018, CCS.

[18]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[19]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[20]  Dimitris Gritzalis,et al.  Metasploit the Penetration Tester's Guide , 2013, Comput. Secur..

[21]  Bo Li,et al.  Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach , 2017, Comput. Secur..

[22]  Yang Liu,et al.  Securing android applications via edge assistant third-party library detection , 2019, Comput. Secur..

[23]  Ali Mesbah,et al.  Reverse Engineering iOS Mobile Applications , 2012, 2012 19th Working Conference on Reverse Engineering.

[24]  Muhammad Ikram,et al.  A first look at mobile Ad-Blocking apps , 2017, 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA).

[25]  Lingling Fan,et al.  Are mobile banking apps secure? what can be improved? , 2018, ESEC/SIGSOFT FSE.

[26]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[27]  Robert H. Deng,et al.  Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment , 2019, NDSS.

[28]  Minhui Xue,et al.  GUI-Squatting Attack: Automated Generation of Android Phishing Apps , 2019, IEEE Transactions on Dependable and Secure Computing.

[29]  Tongxin Li,et al.  Understanding iOS-based Crowdturfing Through Hidden UI Analysis , 2019, USENIX Security Symposium.

[30]  Raphael Spreitzer,et al.  Automated Binary Analysis on iOS: A Case Study on Cryptographic Misuse in iOS Applications , 2018, WISEC.

[31]  David Lie,et al.  Tackling runtime-based obfuscation in Android with TIRO , 2018, USENIX Security Symposium.

[32]  Dongmei Zhang,et al.  ReBucket: A method for clustering duplicate crash reports based on call stack similarity , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[33]  Minhui Xue,et al.  AUSERA: Large-Scale Automated Security Risk Assessment of Global Mobile Banking Apps , 2018, ArXiv.

[34]  Christopher Krügel,et al.  Challenges for Dynamic Analysis of iOS Applications , 2011, iNetSeC.

[35]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[36]  Ahmad-Reza Sadeghi,et al.  SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles , 2016, CCS.

[37]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[38]  Denys Poshyvanyk,et al.  Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation , 2018, USENIX Security Symposium.

[39]  Christopher Vendome,et al.  Automatically Discovering, Reporting and Reproducing Android Application Crashes , 2016, 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[40]  William Enck,et al.  Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[41]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[42]  Daniel H. Steinberg,et al.  Zero Configuration Networking: The Definitive Guide , 2005 .

[43]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Mu Zhang,et al.  Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation , 2018, NDSS.

[45]  Zhuoqing Morley Mao,et al.  Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[46]  Guevara Noubir,et al.  A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link , 2019, USENIX Security Symposium.