PiOS : Detecting privacy leaks in iOS applications 论文

摘要

With the introduction of Apple’s iOS and Google’s An-droid operating systems, the sales of smartphones have ex-ploded. These smartphones have become powerful devices that are basically miniature versions of personal comput-ers. However, the growing popularity and sophistication of smartphones have also increased concerns about the pri-vacy of users who operate these devices. These concerns have been exacerbated by the fact that it has become in-creasingly easy for users to install and execute third-party applications. To protect its users from malicious applica-tions, Apple has introduced a vetting process. This vet-ting process should ensure that all applications conform to Apple’s (privacy) rules before they can be offered via the App Store. Unfortunately, this vetting process is not well-documented, and there have been cases where malicious applications had to be removed from the App Store after user complaints. In this paper, we study the privacy threats that applica-tions, written for Apple’s iOS, pose to users. To this end, we present a novel approach and a tool, PiOS, that allow us to analyze programs for possible leaks of sensitive in-formation from a mobile device to third parties. PiOS uses static analysis to detect data flows in Mach-0 binaries, com-piled from Objective-C code. This is a challenging task due to the way in which Objective-C method calls are imple-mented. We have analyzed more than 1,400 iPhone appli-cations. Our experiments show that, with the exception of a few bad apples, most applications respect personal identifi-able information stored on user’s devices. This is even true for applications that are hosted on an unofficial repository (Cydia) and that only run on jailbroken phones. However, we found that more than half of the applications surrepti-tiously leak the unique ID of the device they are running on. This allows third-parties to create detailed profiles of users’ application preferences and usage patterns. 1