We propose a static analysis technique for iOS executables for checking API call vulnerabilities that can cause 1) app behaviors tobe altered by malicious external inputs, and 2) sensitive user data to be illegally accessed by apps with stealthy private API calls that use string obfuscation. We identify sensitive functions that dynamically load classes/frameworks, and, for each parameter that corresponds to a dynamically loaded class/framework, we construct a dependency graph that shows the set of values that flow to that parameter. A sensitive function that has its class name or framework path parameter depending on externalinputs is considered to contain a vulnerability. We further conduct string analysis on these dependency graphs to determine all potential string values that these parameters can take, which identifies the set of dynamically loaded classes/frameworks. Taking the intersection of these values with patterns that characterize Apple's API policies (such as restricted use of private/sensitive APIs), we are able to detect potential policy violations and vulnerabilities.
[1]
Diomidis Spinellis.
The Importance of Being Declarative
,
2013,
IEEE Software.
[2]
Xiangyu Zhang,et al.
iRiS: Vetting Private API Abuse in iOS Applications
,
2015,
CCS.
[3]
Jacques Klein,et al.
DroidRA: taming reflection to support whole-program analysis of Android apps
,
2016,
ISSTA.
[4]
Christopher Krügel,et al.
PiOS: Detecting Privacy Leaks in iOS Applications
,
2011,
NDSS.
[5]
Marcelo d'Amorim,et al.
Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T)
,
2015,
2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).
[6]
Ahmad-Reza Sadeghi,et al.
PSiOS: bring your own privacy & security to iOS devices
,
2013,
ASIA CCS '13.