Enpublic apps: Security threats using iOS enterprise and developer certificates
Refereed conference paper presented and published in conference proceedings

Times Cited
Altmetrics Information

Other information
AbstractCompared with Android, the conventional wisdom is that iOS is more secure. However, both jailbroken and nonjailbroken iOS devices have number of vulnerabilities. For iOS, apps need to interact with the underlying system using Application Programming Interfaces (APIs). Some of these APIs remain undocumented and Apple forbids apps in App Store from using them. These APIs, also known as "private APIs", provide powerful features to developers and yet they may have serious security consequences if misused. Furthermore, apps which use private APIs can bypass the App Store and use the "Apple's Enterprise/Developer Certificates" for distribution. This poses a significant threat to the iOS ecosystem. So far, there is no formal study to understand these apps and how private APIs are being encapsulated. We call these iOS apps which distribute to the public using enterprise certificates as "enpublic" apps. In this paper, we present the design and implementation of iAnalytics, which can automatically analyze "enpublic" apps' private API usages and vulnerabilities. Using iAnalytics, we crawled and analyzed 1,408 enpublic iOS apps. We discovered that: 844 (60%) out of the 1408 apps do use private APIs, 14 (1%) apps contain URL scheme vulnerabilities, 901 (64%) enpublic apps transport sensitive information through unencrypted channel or store the information in plaintext on the phone. In addition, we summarized 25 private APIs which are crucial and security sensitive on iOS 6/7/8, and we have filed one CVE (Common Vulnerabilities and Exposures) for iOS devices.
All Author(s) ListZheng M., Xue H., Zhang Y., Wei T., Lui J.C.S.
Name of Conference10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015
Start Date of Conference14/04/2015
End Date of Conference17/04/2015
Place of ConferenceSingapore
Country/Region of ConferenceSingapore
Detailed descriptionorganized by ACM,
Pages463 - 474
LanguagesEnglish-United Kingdom

Last updated on 2020-05-08 at 01:38