PSiOS: Bring Your Own Privacy & Security to iOS Devices

Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz

ACM Symposium on Information, Computer and Communications Security (ASIACCS), Hangzhou, China, May 2013 - **Distinguished Paper Award**


Abstract

Apple iOS is one of the most popular mobile operating systems. As its core security technology, iOS provides application sandboxing but assigns a generic sandboxing pro file to every third-party application. However, recent attacks and incidents with benign applications demonstrate that this design decision is vulnerable to crucial privacy and security breaches, allowing applications (either benign or malicious) to access contacts, location, photos, and device information. Moreover, the dynamic character of iOS applications written in Objective-C renders the currently proposed static analysis tools less useful.

In this paper, we aim to address the open problem of preventing (not only detecting) privacy leaks and simultaneously strengthening security against runtime attacks on iOS. Compared to similar research work on the open Android, realizing such a system for the closed-source iOS is highly involved.

We present the design and implementation of PSiOS, a tool that features a novel policy enforcement framework for iOS. It provides ine-grained, application-specifi c, and user/administrator de fined sandboxing for each third-party application without requiring access to the application source code. Our reference implementation deploys control-flow integrity based on the recently proposed MoCFI (Mobile CFI) framework that only protects applications against runtime attacks. We evaluated several popular iOS applications (e.g., Facebook, WhatsApp) to demonstrate the eficiency and eff ectiveness of PSiOS.

[pdf]

Tags: Control Flow Integrity, Mobile Security, privacy