Skip to main content
Book cover

International Conference on Network and System Security

NSS 2015: Network and System Security pp 349–362Cite as

iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8792)

Abstract

Cryptography is the common means to achieve strong data protection in mobile applications. However, cryptographic misuse is becoming one of the most common issues in development. Attackers usually make use of those flaws in implementation such as non-random key/IV to forge exploits and recover the valuable secrets. For the application developers who may lack knowledge of cryptography, it is urgent to provide an efficient and effective approach to assess whether the application can fulfill the security goal by the use of cryptographic functions. In this work, we design a cryptography diagnosis system iCryptoTracer. Combined with static and dynamic analyses, it traces the iOS application’s usage of cryptographic APIs, extracts the trace log and judges whether the application complies with the generic cryptographic rules along with real-world implementation concerns. We test iCryptoTracer using real devices with various version of iOS. We diagnose 98 applications from Apple App Store and find that 64 of which contain various degrees of security flaws caused by cryptographic misuse. To provide the proof-of-concept, we launch ethical attacks on two applications respectively. The encrypted secret information can be easily revealed and the encryption keys can also be restored.

Keywords

  • Cryptographic Primitive
  • Privacy Leak
  • Cryptographic Function
  • Online Payment
  • Item Exam

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-11698-3_27
  • Chapter length: 14 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-11698-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Esser, S.: Antid0te 2.0 - aslr in ios. In: Hack In the Box (HITB) (2011)

    Google Scholar 

  2. Apple: ios security guide (2014)

    Google Scholar 

  3. Staff, P.: Citibank admits security flaw in its iphone app, http://nypost.com/2010/07/26/citibank-admits-security-flaw-in-its-iphone-app/

  4. Hollister, S.: Starbucks admits its iphone app stores unencrypted user passwords, http://www.theverge.com/2014/1/15/5313648/starbucks-admits-ios-app-stored-passwords-in-plain-text

  5. Bhargavan, K., Fournet, C., Corin, R., Zalinescu, E.: Cryptographically verified implementations for tls. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 459–468. ACM (2008)

    Google Scholar 

  6. Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using murphi, pp. 141–151. IEEE Computer Society Press (1997)

    Google Scholar 

  7. Egele, M., Kruegel, C., Kirda, E., Vigna, G.: Pios: Detecting privacy leaks in ios applications. In: Proceedings of the Network and Distributed System Security Symposium, NDSS (February 2011)

    Google Scholar 

  8. Bellare, M., Rogaway, P.: Introduction to modern cryptography, http://cseweb.ucsd.edu/~mihir/cse207/classnotes.html

  9. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 73–84. ACM, New York (2013)

    CrossRef  Google Scholar 

  10. Cracks, K.J.: Fast ios executable dumper, https://github.com/KJCracks/Clutch

  11. Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Stefan: Mocfi: A framework to mitigate control-flow attacks on smartphones. In: Symposium on Network and Distributed System Security, NDSS (February 2012)

    Google Scholar 

  12. Pewny, J., Holz, T.: Control-flow restrictor: Compiler-based cfi for ios. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 309–318. ACM, New York (2013)

    CrossRef  Google Scholar 

  13. Han, J., Yan, Q., Gao, D., Zhou, J., Deng, R.H.: Comparing mobile privacy protection through cross-platform applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2013)

    Google Scholar 

  14. Han, J., Kywe, S.M., Yan, Q., Bao, F., Deng, R., Gao, D., Li, Y., Zhou, J.: Launching generic attacks on iOS with approved third-party applications. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 272–289. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  15. Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on ios: When benign apps become evil (2013)

    Google Scholar 

  16. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1–6. USENIX Association, Berkeley (2010)

    Google Scholar 

  17. Szydlowski, M., Egele, M., Kruegel, C., Vigna, G.: Challenges for dynamic analysis of iOS applications. In: Camenisch, J., Kesdogan, D. (eds.) iNetSec 2011. LNCS, vol. 7039, pp. 65–77. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China

    Yong Li, Yuanyuan Zhang, Juanru Li & Dawu Gu

Authors
  1. Yong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuanyuan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juanru Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dawu Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong

    Man Ho Au

  2. Department of Computer Science and Communication, University of Insubria, Via Mazzini, 5, 21100, Varese, Italy

    Barbara Carminati

  3. Ming Hsieh Department of Electrical Engineering, University of Southern California, 3740 McClintock Avenue, EEB 100, 90089-2560, Los Angeles, CA, USA

    C.-C. Jay Kuo

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Li, Y., Zhang, Y., Li, J., Gu, D. (2014). iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11698-3_27

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11697-6

  • Online ISBN: 978-3-319-11698-3

  • eBook Packages: Computer ScienceComputer Science (R0)