Launching Generic Attacks on iOS with Approved Third-Party Applications

  • Jin Han
  • Su Mon Kywe
  • Qiang Yan
  • Feng Bao
  • Robert Deng
  • Debin Gao
  • Yingjiu Li
  • Jianying Zhou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7954)

Abstract

iOS is Apple’s mobile operating system, which is used on iPhone, iPad and iPod touch. Any third-party applications developed for iOS devices are required to go through Apple’s application vetting process and appear on the official iTunes App Store upon approval. When an application is downloaded from the store and installed on an iOS device, it is given a limited set of privileges, which are enforced by iOS application sandbox. Although details of the vetting process and the sandbox are kept as black box by Apple, it was generally believed that these iOS security mechanisms are effective in defending against malwares.

In this paper, we propose a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices. Following this generic attack mechanism, we are able to construct multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user’s awareness. Our applications embedded with the attack codes have passed Apple’s vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple’s vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. We further provide corresponding mitigation strategies for both vetting and sandbox mechanisms, in order to defend against the proposed attack vector.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Apple Press Info: App Store Tops 40 Billion Downloads with Almost Half in 2012 (January 2013), http://www.apple.com/pr/library/2013/01/07App-Store-Tops-40-Billion-Downloads-with-Almost-Half-in-2012.html
  2. 2.
    Safe and Savvy: How secure is your iPhone (June 2012), http://safeandsavvy.f-secure.com/2012/06/29/how-secure-is-your-iphone/
  3. 3.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14 (2011)Google Scholar
  4. 4.
  5. 5.
    Han, J., Yan, Q., Gao, D., Zhou, J., Deng, R.H.: Comparing Mobile Privacy Protection through Cross-Platform Applications. In: Proceedings of the Network and Distributed System Security Symposium (February 2013)Google Scholar
  6. 6.
    macgasm.net: IT Professionals Rank iOS As Most Secure Mobile OS (August 2012), http://www.macgasm.net/2012/08/17/it-professionals-rank-ios-as-most-secure-mobile-os/
  7. 7.
    NakedSecurity: First iphone worm discovered - ikee changes wallpaper to rick astley photo (November 2009), http://nakedsecurity.sophos.com/2009/11/08/iphone-worm-discovered-wallpaper-rick-astley-photo/
  8. 8.
    NakedSecurity: Hacked iphones held hostage for 5 euros, http://nakedsecurity.sophos.com/2009/11/03/hacked-iphones-held-hostage-5-euros/
  9. 9.
    Damopoulos, D., Kambourakis, G., Gritzalis, S.: iSAM: An iPhone Stealth Airborne Malware. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 17–28. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Kravets, D.: ABCNews: Jailbreaking iPhone Legal, U.S. Government Says, http://abcnews.go.com/Technology/story?id=11254253
  11. 11.
  12. 12.
    Freeman, J.: Cydia, an alternative to Apple’s App Store for jailbroken iOS devices, http://cydia.saurik.com/
  13. 13.
    Apple Developer: Xcode, Apple’s integrated development environment for creating apps for Mac and iOS, https://developer.apple.com/xcode/
  14. 14.
    Seriot, N.: iOS 6 runtime headers, https://github.com/nst/iOS-Runtime-Headers
  15. 15.
    Seriot, N.: Objective-C Runtime Browser, for Mac OS X and iOS, https://github.com/nst/RuntimeBrowser/
  16. 16.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated Whitebox Fuzz Testing. In: Proceedings of the Network and Distributed System Security Symposium (2008)Google Scholar
  17. 17.
    Person, S., Yang, G., Rungta, N., Khurshid, S.: Directed incremental symbolic execution. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 504–515 (2011)Google Scholar
  18. 18.
    Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In: Proceedings of the Network and Distributed System Security Symposium (2011)Google Scholar
  19. 19.
    apple.com: Apple Open Source Projects, http://www.apple.com/opensource/
  20. 20.
    Seriot, N.: iPhone Privacy. In: Black Hat DC (2010)Google Scholar
  21. 21.
    Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: Proceedings of the Network and Distributed System Security Symposium (2011)Google Scholar
  22. 22.
    Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Security Symposium (2011)Google Scholar
  23. 23.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Annual Network & Distributed System Security Symposium (February 2012)Google Scholar
  24. 24.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: USENIX Security Symposium (2011)Google Scholar
  25. 25.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI (2010)Google Scholar
  26. 26.
    Becher, M., Freiling, F.C., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)Google Scholar
  27. 27.
    Egners, A., Marschollek, B., Meyer, U.: Hackers in Your Pocket: A Survey of Smartphone Security Across Platforms, Technical Report (2012)Google Scholar
  28. 28.
    Miller, C.: Apple lets malware into App Store (2011), http://nakedsecurity.sophos.com/2011/11/08/apples-app-store-security-compromised/

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jin Han
    • 1
  • Su Mon Kywe
    • 2
  • Qiang Yan
    • 2
  • Feng Bao
    • 1
  • Robert Deng
    • 2
  • Debin Gao
    • 2
  • Yingjiu Li
    • 2
  • Jianying Zhou
    • 1
  1. 1.Institute for Infocomm ResearchSingapore
  2. 2.Singapore Management UniversitySingapore

Personalised recommendations