iRiS: Vetting Private API Abuse in iOS Applications
作者: Zhui Deng , Brendan Saltaformaggio , Xiangyu Zhang , Dongyan Xu
关键词:
摘要: With the booming sale of iOS devices, number applications has increased significantly in recent years. To protect security users, Apple requires every application to go through a vetting process called App Review detect uses private APIs that provide access sensitive user information. However, attacks have shown feasibility using without being detected during Review. counter such attacks, we propose new system, iRiS, this paper. iRiS first applies fast static analysis resolve API calls. For those cannot be statically resolved, novel iterative dynamic approach, which is slower but more powerful compared analysis. We ported Valgrind and implemented prototype on top it. evaluated with 2019 from official Store. From these, identified 146 (7%) use total 150 different APIs, including 25 security-critical information, as device serial number. By analyzing also suspicious advertisement service provider collects privacy information its serving library. Our results show that, contrary popular belief, nontrivial violate Apple's terms exist effective detecting abuse missed by
acm.org
sci-hub.se 参考文章(25)
Zhaohui Wang, Ryan Johnson, Rahul Murmuria, Angelos Stavrou, Exposing Security Risks for Commercial Mobile Devices Lecture Notes in Computer Science. pp. 3- 21 ,(2012) , 10.1007/978-3-642-33704-8_2
Robert Watson, Wayne Morrison, Chris Vance, Brian Feldman, None, The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. usenix annual technical conference. pp. 285- 296 ,(2003)
Fabrice Bellard, QEMU, a fast and portable dynamic translator usenix annual technical conference. pp. 41- 41 ,(2005)
Martin Szydlowski, Manuel Egele, Christopher Kruegel, Giovanni Vigna, Challenges for dynamic analysis of iOS applications iNetSec'11 Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security. pp. 65- 77 ,(2011) , 10.1007/978-3-642-27585-2_6
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS : Detecting privacy leaks in iOS applications network and distributed system security symposium. ,(2011)
Tielei Wang, Long Lu, Kangjie Lu, Wenke Lee, Simon Chung, Jekyll on iOS: when benign apps become evil usenix security symposium. pp. 559- 572 ,(2013)
Zhendong Su, Dongyan Xu, Zhiqiang Lin, Zhui Deng, Xiangyu Zhang, Fei Peng, X-force: force-executing binary programs for security applications usenix security symposium. pp. 829- 844 ,(2014)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, Binyu Zang, Vetting undesirable behaviors in android apps with permission use analysis computer and communications security. pp. 611- 622 ,(2013) , 10.1145/2508859.2516689
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, Guofei Jiang, CHEX Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 229- 240 ,(2012) , 10.1145/2382196.2382223