Challenges for Dynamic Analysis of iOS Applications

  • Martin Szydlowski
  • Manuel Egele
  • Christopher Kruegel
  • Giovanni Vigna
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7039)


Recent research indicates that mobile platforms, such as Android and Apple’s iOS increasingly face the threat of malware. These threats range from spyware that steals privacy sensitive information, such as location data or address book contents to malware that tries to collect ransom from users by locking the device and therefore rendering the device useless. Therefore, powerful analysis techniques and tools are necessary to quickly provide an analyst with the necessary information about an application to assess whether this application contains potentially malicious functionality.

In this work, we focus on the challenges and open problems that have to be overcome to create dynamic analysis solutions for iOS applications. Additionally, we present two proof-of-concept implementations tackling two of these challenges. First, we present a basic dynamic analysis approach for iOS applications demonstrating the feasibility of dynamic analysis on iOS. Second, addressing the challenge that iOS applications are almost always user interface driven, we also present an approach to automatically exercise an application’s user interface. The necessity of exercising application user interfaces is demonstrated by the difference in code coverage that we achieve with (60%) and without (16%) such techniques. Therefore, this work is a first step towards comprehensive dynamic analysis for iOS applications.


Dynamic Analysis Mobile Platform Malicious Application USENIX Security Symposium Graphical User Interface Interaction 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Apps - Android Market,
  2. 2.
  3. 3.
    iPhone Developer Program License Agreement,
  4. 4.
    Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: Aeg: Automatic exploit generation. In: 17th Annual Network and Distributed System Security Symposium, NDSS 2011 (2011)Google Scholar
  5. 5.
    Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: ASIACCS 2010: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135–144. ACM, New York (2010)CrossRefGoogle Scholar
  6. 6.
    Beschizza, R.: iPhone game dev accused of stealing players’ phone numbers,
  7. 7.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  8. 8.
    Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)Google Scholar
  9. 9.
    Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: 17th Annual Network and Distributed System Security Symposium, NDSS 2011 (2011)Google Scholar
  10. 10.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.X.: Dynamic spyware analysis. In: Proceedings of the 2007 USENIX Annual Technical Conference, pp. 233–246 (2007)Google Scholar
  11. 11.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware analysis techniques and tools. ACM Computing Surveys (to appear)Google Scholar
  12. 12.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of OSDI 2010 (October 2010)Google Scholar
  13. 13.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A Study of Android Application Security. In: Proceedings of the 20th USENIX Security Symposium (August 2011)Google Scholar
  14. 14.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Security and Privacy 7(1), 50–57 (2009)CrossRefGoogle Scholar
  15. 15.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A Survey of Mobile Malware in the Wild. In: ACM Workshop on Security and Privacy in Mobile Devices (SPSM), Chicago, IL, USA (October 2011)Google Scholar
  16. 16.
    B.R. for The Register. iphone app grabs your mobile number,
  17. 17.
    Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: 10th International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)Google Scholar
  18. 18.
    Hunt, G., Brubacher, D.: Detours: binary interception of Win32 functions. In: 3rd USENIX Windows NT Symposium, pp. 135–143. USENIX Association, Berkeley (1999)Google Scholar
  19. 19.
    Mulliner, C., Vigna, G., Dagon, D., Lee, W.: Using Labeling to Prevent Cross-Service Attacks Against Smart Phones. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 91–108. Springer, Heidelberg (2006)Google Scholar
  20. 20.
    Mutz, D., Valeur, F., Vigna, G., Krügel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)CrossRefGoogle Scholar
  21. 21.
    Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 2006 EuroSys Conference, pp. 15–27 (2006)Google Scholar
  22. 22.
    Vasudevan, A., Yerraballi, R.: Stealth breakpoints. In: 21st Annual Computer Security Applications Conference (ACSAC), pp. 381–392 (2005)Google Scholar
  23. 23.
    Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained malware analysis using stealth localized-executions. In: IEEE Symposium on Security and Privacy, pp. 264–279 (2006)Google Scholar
  24. 24.
    Vasudevan, A., Yerraballi, R.: Spike: engineering malware analysis tools using unobtrusive binary-instrumentation. In: Proceedings of the 29th Australasian Computer Science Conference, pp. 311–320 (2006)Google Scholar
  25. 25.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy 5(2), 32–39 (2007)CrossRefGoogle Scholar
  26. 26.
    Wired. Apple Approves, Pulls Flashlight App with Hidden Tethering Mode,
  27. 27.
    Yin, H., Song, D.X., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security (CCS), pp. 116–127 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Martin Szydlowski
    • 1
  • Manuel Egele
    • 2
  • Christopher Kruegel
    • 2
  • Giovanni Vigna
    • 2
  1. 1.Secure Systems LabVienna University of TechnologyAustria
  2. 2.University of CaliforniaSanta BarbaraUSA

Personalised recommendations