Detecting Privacy Leaks in iPhone Applications

In the upcoming NDSS 2011 conference in San Diego, one of the papers our team will be presenting is Manuel‘s work on detecting privacy leaks in iPhone applications. The sales of smartphones have exploded recently — especially because of mobile phone operating systems such as Apple’s iOS and Google’s Android. These smartphones  have become powerful devices that are basically miniature versions  of personal computers. As is often the case, as a technology grows in popularity, so do security concerns. These concerns have been  exacerbated by the fact that it has become increasingly easy for  users to install and execute third-party applications. To protect  its users from malicious applications, Apple has introduced a  vetting process. The idea is that this vetting process should ensure that all  applications conform to Apple’s (privacy) rules before they can be  offered via the App Store. Unfortunately, this vetting process is  not well-documented, and there have been cases where malicious  applications had to be removed from the App Store after user  complaints.

In our paper, we study the privacy threats that applications,  written for Apple’s iOS, pose to users. We present a  novel approach and a tool, PiOS, that allow us to analyze programs  for possible leaks of sensitive information from a mobile device  to third parties.

PiOS uses static analysis to detect data flows in  Mach-0 binaries, compiled from Objective-C code. Unfortunately, this is not a trivial task. In fact, it is quite challenging due to the way in which Objective-C method calls  are implemented. We have analyzed more than 1,400 iPhone  applications. Our experiments show that, with the exception of a few  bad apples, most applications respect personal identifiable  information stored on user’s devices. This is even true for  applications that are hosted on an unofficial repository (Cydia) and  that only run on jailbroken phones. However, we found that more than  half of the applications surreptitiously leak the unique ID of the  device they are running on. This  allows third-parties to create detailed profiles of users’  application preferences and usage patterns.

About engiman
This entry was posted in Binary Analysis, General, Privacy. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s