tions, written for Apple's iOS, pose to users To this end, we present a novel approach and a tool, PiOS, that allow us to analyze programs for possible leaks of
| Previous PDF | Next PDF |
[PDF] iOS Enterprise Deployment Overview - Apple
Distribute in-house apps from the iOS Developer Enterprise Program (iDEP) and in-house books by hosting them on a web server or your MDM solution • Install
[PDF] Apple Deployment Programs Volume Purchase Program Guide
Whether your workforce uses iPhone, iPad, or Mac, you can provide great content that's ready for work with flexible and secure distribution options This guide will
[PDF] Learning iOS Development: A Hands-on Guide to the - InformIT
Preface xx 1 Hello, iOS SDK 1 Installing Xcode 1 About the iOS SDK 2 What You Get for Free 3 iOS Developer Program (Individual and Company) 4
[PDF] iOS DEVELOPER PROGRAM - DePaul CDM - DePaul University
A ten-week program covering iOS development for Apple® devices, including iPhone® and iPad®, for IT professionals and software developers
[PDF] iOS Programming - UC San Diego Extension
Students will gain new skills necessary to program applications that run natively on mobile devices specific to iOS for Apple based technology, including step-by-
[PDF] iOS Deployment Starter Guide - Compugen
The Device Enrollment Program (DEP) automates enrollment of Apple devices into your MDM solution to streamline deployment with zero-touch configuration for
[PDF] Building The iOS Wrapper - Omnis Studio
In order to build iOS apps, you will need to install xCode 6 1 1 or later You can Apple gives you 3 options when signing up for their iOS Developer Program:
[PDF] Certificate Course in iOS Application Development Co - Crescent
Tools for iOS Application Development – Xcode - Hands on iOS Programs – Developing Simple iOS Apps - Building and Running iOS Apps – Uploading to App
[PDF] Déploiement iOS en entreprise - Apple
Le Programme d'inscription des appareils (Device Enrollment Program, DEP) automatise l'inscription des appareils Apple auprès de votre solution MDM afin de
[PDF] PiOS: Detecting Privacy Leaks in iOS Applications - UCSB
tions, written for Apple's iOS, pose to users To this end, we present a novel approach and a tool, PiOS, that allow us to analyze programs for possible leaks of
[PDF] ios swift tutorial pdf
[PDF] ios terms
[PDF] iot applications in healthcare
[PDF] iot architecture should be heterogeneous
[PDF] iot cisco packet tracer pdf
[PDF] iot project in cisco packet tracer
[PDF] iot protocols
[PDF] iot protocols pdf
[PDF] iowa courts online
[PDF] iowa department of public health
[PDF] iowa flu map 2019
[PDF] iowa governor
[PDF] iowa population
[PDF] iowa population by race
[PDF] iowa state
[PDF] ios terms
[PDF] iot applications in healthcare
[PDF] iot architecture should be heterogeneous
[PDF] iot cisco packet tracer pdf
[PDF] iot project in cisco packet tracer
[PDF] iot protocols
[PDF] iot protocols pdf
[PDF] iowa courts online
[PDF] iowa department of public health
[PDF] iowa flu map 2019
[PDF] iowa governor
[PDF] iowa population
[PDF] iowa population by race
[PDF] iowa state
PiOS: Detecting Privacy Leaks in iOS Applications
Manuel Egele
? †, Christopher Kruegel†, Engin Kirda‡ §, and Giovanni Vigna†Vienna University of Technology, Austria
manuel@seclab.tuwien.ac.at†University of California, Santa Barbara
{maeg,chris,vigna}@cs.ucsb.eduInstitute Eurecom, Sophia Antipolis
kirda@eurecom.fr§Northeastern University, Boston
ek@ccs.neu.eduAbstract
With the introduction of Apple"s iOS and Google"s An- droid operating systems, the sales of smartphones have ex- ploded. These smartphones have become powerful devices that are basically miniature versions of personal comput- ers. However, the growing popularity and sophistication of smartphones have also increased concerns about the pri- vacy of users who operate these devices. These concerns have been exacerbated by the fact that it has become in- creasingly easy for users to install and execute third-party applications. To protect its users from malicious applica- tions, Apple has introduced a vetting process. This vet- ting process should ensure that all applications conform to Apple"s (privacy) rules before they can be offered via the App Store. Unfortunately, this vetting process is not well- documented, and there have been cases where malicious applications had to be removed from the App Store after user complaints. In this paper, we study the privacy threats that applica- tions, written for Apple"s iOS, pose to users. To this end, we present a novel approach and a tool, PiOS, that allow us to analyze programs for possible leaks of sensitive in- formation from a mobile device to third parties. PiOS uses static analysis to detect data flows in Mach-0 binaries, com- piled from Objective-C code. This is a challenging task due to the way in which Objective-C method calls are imple- mented. We have analyzed more than 1,400 iPhone appli- cations. Our experiments show that, with the exception of a few bad apples, most applications respect personal identifi- able information stored on user"s devices. This is even true for applications that are hosted on an unofficial repository (Cydia) and that only run on jailbroken phones. However, we found that more than half of the applications surrepti-tiously leak the unique ID of the device they are running on.This allows third-parties to create detailed profiles of users"
application preferences and usage patterns.1 Introduction
Mobile phones have rapidly evolved over the last years. The latest generations of smartphones are basically minia- ture versions of personal computers; they offer not only the possibility to make phone calls and to send messages, but they are a communication and entertainment platform for users to surf the web, send emails, and play games. Mobile phones are also ubiquitous, and allow anywhere, anytime access to information. In the second quarter of 2010 alone, more than 300 million devices were sold worldwide [13]. Given the wide range of applications for mobile phones and their popularity, it is not surprising that these devices store an increasing amount of sensitive information about their users. For example, the address book contains infor- mation about the people that a user interacts with. The GPS receiver reveals the exact location of the device. Photos, emails, and the browsing history can all contain private in- formation.Since the introduction of Apple"s iOS
1and the Android
operating systems, smartphone sales have significantly in- creased. Moreover, the introduction of market places for apps (such as Apple"s App Store) has provided a strong eco- nomic driving force, and tens of thousands of applications have been developed for iOS and Android. Of course, the ability to run third-party code on a mobile device is a poten- tial security risk. Thus, mechanisms are required to prop- erly protect sensitive data against malicious applications. the data needs and information accesses transparent to1 Apple iOS, formally known as iPhone OS, is the operating system that is running on Apples" iPhone, iPod Touch, and iPad products. users. With Apple iOS, the situation is different. In prin- ciple, there are no technical mechanisms that limit the ac- cess that an application has. Instead, users are protected by Apple"s developer license agreement [3]. This document defines the acceptable terms for access to sensitive data. An mitting any data unless the user expresses her explicit con- sent. Moreover, an application can ask for permission only when the data is directly required to implement a certain functionality of the application. To enforce the restrictions set out in the license agreement, Apple has introduced a vet- ting process. During the vetting process, Apple scrutinizes all applica- tions submitted by third-party developers. If an application is determined to be in compliance with the licencing agree- ment, it is accepted, digitally signed, and made available through the iTunes App Store. It is important to observe that accessing the App Store is the only way for users with unmodified iOS devices to install applications. This ensures other Apple products). To be able to install and execute other applications, it is necessary to "jailbreak" the device and disable the check that ensures that only properly signed programs can run. Unfortunately, the exact details of the vetting process are not known publicly. This makes it difficult to fully trust third-party applications, and it raises doubts about the proper protection of users" data. Moreover, there are known instances (e.g., [20]) in which a malicious application has passed the vetting process, only to be removed from the App Store later when Apple became aware of its offend- ing behavior. For example, in 2009, when Apple realized that the applications created byStorm8harvested users phone numbers and other personal information, all applica- tions from this developer were removed from the App Store. The goal of the work described in this paper is to au- tomatically analyze iOS applications and to study the threat theyposetouserdata. Asasideeffect, thisalsoshinessome light on the (almost mysterious) vetting process, as we ob- tain a better understanding of the kinds of information that iOS applications access without asking the user. To analyze iOS applications, we developed PiOS, an automated tool that can identify possible privacy breaches. PiOS uses static analysis to check applications for the presence of code paths where an application first accesses sensitive information and subsequently transmits this infor- mation over the network. Since no source code is avail- able, PiOS has to perform its analysis directly on the bina- ries. While static, binary analysis is already challenging, the work is further complicated by the fact that most iOS applications are developed in Objective-C. Objective-C is a superset of the C programming lan-guage that extends it with object-oriented features. Typi-cal applications make heavy use of objects, and most func-
tion calls are actually object method invocations. Moreover, these method invocations are all funneled through a single dispatch (send message) routine. This makes it difficult to program. However, a CFG is the starting point required for most other interesting program analysis. Thus, we had to develop novel techniques to reconstruct meaningful CFGs for iOS applications. Based on the control flow graphs, we could then perform data flow analysis to identify flows permission. Using PiOS, we analyzed 825 free applications available on the iTunes App Store. Moreover, we also examined 582 applications offered through the Cydia repository. The Cy- dia repository is similar to the App Store in that it offers a collection of iOS applications. However, it is not associ- ated with Apple, and hence, can only be used by jailbroken devices. By checking applications both from the official Apple App Store and Cydia, we can examine whether the risk of privacy leaks increases if unvetted applications are installed.The contributions of this paper are as follows:
•We present a novel approach that is able to automati- cally create comprehensive CFGs from binaries com- piled from Objective-C code. We can then perform reachability analysis on these CFGs to identify possi- ble leaks of sensitive information from a mobile device to third parties. •We describe the prototype implementation of our ap- proach, PiOS, that is able to analyze large bodies of iPhone applications, and automatically determines if these applications leak out any private information. •To show the feasibility of our approach, we have ana- lyzedmorethan1,400iPhoneapplications. Ourresults demonstrate that a majority of applications leak the de- vice ID. However, with a few notable exceptions, ap- plications do respect personal identifiable information. This is even true for applications that are not vetted byApple.
2 System Overview
The goal of PiOS is to detect privacy leaks in applica- tions written for iOS. This makes is necessary to first con- cretize our notion of a privacy leak. We define as a privacy leak any event in which an iOS application reads sensitive data from the device and sends this data to a third party without the user"s consent. To request the user"s consent, the application displays a message (via the device"s UI) that specifies the data item that should be accessed. Moreover, the user is given the choice of either granting or denying the access. When an application does not ask for user permis- sion, it is in direct violation of theiPhone developer pro- gram license agreement[3], which mandates that no sensi- tive data may be transmitted unless the user has expressed her explicit consent. ask for access permissions only when the proper function- ality of the application depends on the availability of the data. Unfortunately, this requirement makes it necessary to understand the semantics of the application and its intended use. Thus, in this paper, we do not consider privacy vio- lations where the user is explicitly asked to grant access to data, but this data is not essential to the program"s function- ality. In a next step, we have to decide the types of informa- tion that constitute sensitive user data. Turning to the Apple license agreement is of little help. Unfortunately, the text does neither precisely define user data nor enumerate func- tions that should be considered sensitive. Since the focus of this work is to detect leaks in general, we take a loose approach and consider a wide variety of data that can be accessed through the iOS API as being potentially sensi- tive. In particular, we used the open-source iOS application Spyphone [17] as inspiration. The purpose of Spyphone is to demonstrate that a significant number of interesting data elements (user and device information) is accessible to pro- grams. Since this is exactly the type of information that we are interested in tracking, we consider these data elements as sensitive. A more detailed overview of sensitive data el- ements is presented in Section 5. Data flow analysis.The problem of finding privacy leaks in applications can be framed as a data flow problem. That is, we can find privacy leaks by identifying data flows from input functions that access sensitive data (calledsources) to functions that transmit this data to third parties (called sinks). We also need to check that the user is not asked for permission. Of course, it would be relatively easy to find the location of functions that interact with the user, for ex- ample, by displaying a message box. However, it is more challenging to automatically determine whether this inter- action actually has the intent of warning the user about the access to sensitive data. In our approach, we use the fol- lowing heuristic: Whenever there is any user interaction between the point where sensitive information is accessed and the point where this information could be transferred to a third party, we optimistically assume that the purpose of this interaction is to properly warn the user. As shown in Figure 1, PiOS performs three steps when checking an iOS application for privacy leaks. First, PiOS reconstructs the control flow graph (CFG) of the applica-tion. The CFG is the underlying data structure (graph) thatis used to find code paths from sensitive sources to sinks.
Normally, a CFG is relatively straightforward to extract, even when only the binary code is available. Unfortunately, the situation is different for iOS applications. This is be- cause almost all iOS programs are developed in Objective- C. Objective-C programs typically make heavy use of ob- jects. As a result, most function calls are actually invoca- tions of instance methods. To make matters worse, these method invocations are all performed through an indirect call of a single dispatch function. Hence, we require novel binary analysis techniques to resolve method invocations, and to determine which piece of code is eventually invoked by the dispatch routine. For this analysis, we first attempt to reconstruct the class hierarchy and inheritance relation- ships between Objective-C classes. Then, we use backward slicing to identify both the arguments and types of the input parameters to the dispatch routine. This allows us to resolve the actual target of functioncalls with good accuracy. Based on this information, the control flow graph can be built.Inthesecondstep, PiOScheckstheCFGforthepresence
of paths that connect nodes accessing sensitive information (sources) to nodes interacting with the network (sinks). For this, the system performs a standard reachability analysis. In the third and final step, PiOS performs data flow anal- ysis along the paths to verify whether sensitive informa- tion is indeed flowing from the source to the sink. This requires some special handling for library functions that are not present in the binary, especially those with a variable number of arguments. After the data flow analysis has fin- ished, PiOS reports the source/sink pairs for which it could confirm a data flow. These cases constitute privacy leaks. Moreover, the system also outputs the remaining paths for which no data flow was found. This information is useful to be able to focus manual analysis on a few code paths for which the static analysis might have missed an actual data flow.3 Background Information
The goal of this section is to provide the reader with the relevant background information about iOS applications, their Mach-O binary format, and the problems that com- piled Objective-C code causes for static binary analysis. The details of the PiOS system are then presented in later sections.3.1 Objective-C
Objective-C is a strict superset of the C programming language that adds object-oriented features to the basic lan- guage. Originally developed at NextStep, Apple and its lineFigure 1. The PiOS system.
of operating systems is now the driving force behind the development of the Objective-C language. The foundation for the object-oriented aspects in the lan- guage is the notion of a class. Objective-C supports single inheritance, where every class has a single superclass. The class hierarchy is rooted at theNSObjectclass. This is the mostbasicclass. Similartootherobject-orientedlanguages, (static) class variables are shared between all instances of the same class. Instance variables, on the other hand, are specific to a single instance. The same holds for class and instance methods. Protocols and categories.In addition to the features commonly found in object-oriented languages, Objective- C also definesprotocolsandcategories. Protocols resem- ble interfaces, and they define sets of optional or mandatory methods. A class is said to adopt a protocol if it implements at least all mandatory methods of the protocol. Protocols themselves do not provide implementations. Categories resemble aspects, and they are used to extend the capabilities of existing classes by providing the imple- mentations of additional methods. That is, a category al- lows a developer to extend an existing class with additional functionality, even without access to the source code of the original class.Message passing.The major difference between
Objective-C binaries and binaries compiled from other programming languages (such as C or C++) is that, in Objective-C, objects do not call methods of other objects directly or through virtual method tables (vtables). Instead,the interaction between objects is accomplished by sendingmessages. The delivery of these messages is implemented
through a dynamic dispatch function in the Objective-C runtime. To send a message to a receiver object, a pointer to thereceiver, the name of the method (the so-calledselec- tor; a null-terminated string), and the necessary parameters are passed to theobjc_msgSendruntime function. This ing the method that corresponds to the given selector. To this end, theobjc_msgSendfunction traverses the class hierarchy, starting at the receiver object, trying to locate the method that corresponds to the selector. This method can be implemented in either the class itself, or in one of its superclasses. Alternatively, the method can also be part of a category that was previously applied to either the class, or one of its superclasses. If no appropriate method can be found, the runtime returns an "object does not respond to selector" error. Clearly, finding the proper method to invoke is a non- trivial, dynamic process. This makes it challenging to re- solve method calls statically. The process is further compli- cated by the fact that calls are handled by a dispatch func- tion.