Abstract
Cryptography is the common means to achieve strong data protection in mobile applications. However, cryptographic misuse is becoming one of the most common issues in development. Attackers usually make use of those flaws in implementation such as non-random key/IV to forge exploits and recover the valuable secrets. For the application developers who may lack knowledge of cryptography, it is urgent to provide an efficient and effective approach to assess whether the application can fulfill the security goal by the use of cryptographic functions. In this work, we design a cryptography diagnosis system iCryptoTracer. Combined with static and dynamic analyses, it traces the iOS application’s usage of cryptographic APIs, extracts the trace log and judges whether the application complies with the generic cryptographic rules along with real-world implementation concerns. We test iCryptoTracer using real devices with various version of iOS. We diagnose 98 applications from Apple App Store and find that 64 of which contain various degrees of security flaws caused by cryptographic misuse. To provide the proof-of-concept, we launch ethical attacks on two applications respectively. The encrypted secret information can be easily revealed and the encryption keys can also be restored.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Esser, S.: Antid0te 2.0 - aslr in ios. In: Hack In the Box (HITB) (2011)
Apple: ios security guide (2014)
Staff, P.: Citibank admits security flaw in its iphone app, http://nypost.com/2010/07/26/citibank-admits-security-flaw-in-its-iphone-app/
Hollister, S.: Starbucks admits its iphone app stores unencrypted user passwords, http://www.theverge.com/2014/1/15/5313648/starbucks-admits-ios-app-stored-passwords-in-plain-text
Bhargavan, K., Fournet, C., Corin, R., Zalinescu, E.: Cryptographically verified implementations for tls. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 459–468. ACM (2008)
Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using murphi, pp. 141–151. IEEE Computer Society Press (1997)
Egele, M., Kruegel, C., Kirda, E., Vigna, G.: Pios: Detecting privacy leaks in ios applications. In: Proceedings of the Network and Distributed System Security Symposium, NDSS (February 2011)
Bellare, M., Rogaway, P.: Introduction to modern cryptography, http://cseweb.ucsd.edu/~mihir/cse207/classnotes.html
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 73–84. ACM, New York (2013)
Cracks, K.J.: Fast ios executable dumper, https://github.com/KJCracks/Clutch
Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Stefan: Mocfi: A framework to mitigate control-flow attacks on smartphones. In: Symposium on Network and Distributed System Security, NDSS (February 2012)
Pewny, J., Holz, T.: Control-flow restrictor: Compiler-based cfi for ios. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 309–318. ACM, New York (2013)
Han, J., Yan, Q., Gao, D., Zhou, J., Deng, R.H.: Comparing mobile privacy protection through cross-platform applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2013)
Han, J., Kywe, S.M., Yan, Q., Bao, F., Deng, R., Gao, D., Li, Y., Zhou, J.: Launching generic attacks on iOS with approved third-party applications. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 272–289. Springer, Heidelberg (2013)
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on ios: When benign apps become evil (2013)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1–6. USENIX Association, Berkeley (2010)
Szydlowski, M., Egele, M., Kruegel, C., Vigna, G.: Challenges for dynamic analysis of iOS applications. In: Camenisch, J., Kesdogan, D. (eds.) iNetSec 2011. LNCS, vol. 7039, pp. 65–77. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, Y., Zhang, Y., Li, J., Gu, D. (2014). iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-11698-3_27
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11697-6
Online ISBN: 978-3-319-11698-3
eBook Packages: Computer ScienceComputer Science (R0)