Embed Size (px)
Citation preview
iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications
Zhushou Tang1,6, Ke Tang1, Minhui Xue2, Yuan Tian3, Sen Chen4, Muhammad Ikram5, Tielei Wang6, Haojin Zhu1
1 Shanghai Jiao Tong University2 The University of Adelaide3 University of Virginia4 Nanyang Technological University5 Macquarie University6 PWNZEN InfoTech Co., LTD
Introduction
• Network service is used to provide networked data storage, or other online functionality to apps. • Network service is wildly used in mobile applications.
- Mobile device management. - Receive command from a peripheral equipment (IoT device).
- File delivering, voice calls, etc., (Point-to-Point Network).
- File or media sharing, etc., (Content Delivery Network).
Introduction
• Network service is used to provide networked data storage, or other online functionality to apps. • Network service is wildly used in mobile applications.
- Mobile device management. - Receive command from a peripheral equipment (IoT device).
- File delivering, voice calls, etc., (Point-to-Point Network).
- File or media sharing, etc., (Content Delivery Network).
Projects app UI via USB Connection
Touch events on the in-vehicle device
The app turns the device to a server
Introduction
Motivation
Smartphone applications that provide network service introduce significant security and privacy threats for users1.
1 http://xlab.baidu.com/wp-content/uploads/2016/01/wormhole_external_final.pdf
Introduction
Motivation
Smartphone applications that provide network service introduce significant security and privacy threats for users1.
Related work
• JIA et al. EuroS&P’17 Bu et al. FSE’17 WU et al. NDSS’19.
1 http://xlab.baidu.com/wp-content/uploads/2016/01/wormhole_external_final.pdf
Introduction
Motivation
Smartphone applications that provide network service introduce significant security and privacy threats for users1.
Goals • Vetting and analyzing network services of iOS applications.
• Understanding network service of iOS ecosystem.
Related work
• JIA et al. EuroS&P’17 Bu et al. FSE’17 WU et al. NDSS’19.
1 http://xlab.baidu.com/wp-content/uploads/2016/01/wormhole_external_final.pdf
Challenges & Design Overview
Public repository of iOS apps is not available
Practical tools for automatically analyzing iOS apps
are not well developed.
Network service
libraries of iOS apps are not available.
Challenges & Design Overview
Public repository of iOS apps is not available
Practical tools for automatically analyzing iOS apps
are not well developed.
Network service
libraries of iOS apps are not available.
iOS Apps Collection
Key steps:
• Download apps from iTunes app
store utilizing iTunes’ dll file
• Decrypt the app by only delivering
the executable
iOS Apps Collection
Performance of decryption
iOS Apps Collection
Performance of decryptioniOS app dataset
Workflow of Vetting
1,300 seed apps Dynamic analysis Static analysis Manual confirmation
Vetting
Dynamic Analysis
• Check which app provides a network service by
inspecting network interface
- Implement an “addon” for jailbroken iOS devices
- Redirect the _bind API calls - Parse parameters of _bind API
Dynamic Analysis
• Check which app provides a network service by
inspecting network interface
- Implement an “addon” for jailbroken iOS devices
- Redirect the _bind API calls - Parse parameters of _bind API
• Call stack extraction
- The call stack is preserved by our “addon” for network
service library analysis
Vetting
Dynamic Analysis - Results
• Three categories of network interfaces: - The dynamic port to which a socket binds is usually used for in-app
communication.
- Attack target network service on loopback interface is not practical in iOS .
- For apps that use the LAN interface, we run static analysis on them later.
Vetting
Dynamic Analysis - Results
• Three categories of network interfaces: - The dynamic port to which a socket binds is usually used for in-app
communication.
- Attack target network service on loopback interface is not practical in iOS .
- For apps that use the LAN interface, we run static analysis on them later.
Vetting
Dynamic Analysis - Results
• Three categories of network interfaces: - The dynamic port to which a socket binds is usually used for in-app
communication.
- Attack target network service on loopback interface is not practical in iOS .
- For apps that use the LAN interface, we run static analysis on them later.
Vetting
Static Analysis
• Optimize the open-source framework2
- Supplement semantics of more ARM instructions to the decompiler.
- Convert inter-procedural data-flow analysis to on-demand inter-procedural.
- Formulate and specify rules for the misuse of network services.
2 J Feichtner et al.Automated Binary Analysis on iOS: A Case Study on Cryptographic Misuse in iOS Applications. WISEC’18
Vetting
Performance of static analyzer
Static Analysis - Results
Vetting
Performance of static analyzerStatic analysis result of NOW app
Static Analysis - Results
Vetting
Manual Confirmation
“Dynamic first, static later, and manual confirmation last’'
Rationale behind
• Dynamic analysis can rapidly check for misconfigured network interfaces on a
large scale, allowing us to pinpoint a small portion of candidate network service apps.
• The more time-consuming static analysis can then be used to perform a fine-grained analysis and check for potential vulnerabilities.
• Finally, we verify the identified vulnerabilities manually in order to ensure vulnerabilities are not misidentified.
Vetting
Building Signature for Network Services
Call Stack Analysis
Map the call stack to the executable.
Call stack
Method
0 binddetours.dylib 0x0000000101aaf758 _Z9hook_bindiPK8sockaddrj + 17641 Covet 0x0000000100a1e1f8 FBMonotonicTimeGetCurrentSeconds + 14728442 Covet 0x0000000100a1e608 FBMonotonicTimeGetCurrentSeconds + 14738843 libdispatch.dylib 0x000000019b8b9770 <redacted> + 164 libdispatch.dylib 0x000000019b8c49c4 <redacted> + 1005 Covet 0x0000000100a1e080 FBMonotonicTimeGetCurrentSeconds + 14724686 Covet 0x0000000100a3be60 FBMonotonicTimeGetCurrentSeconds + 15948047 libdispatch.dylib 0x000000019b8b9770 <redacted> + 168 libdispatch.dylib 0x000000019b8c471c <redacted> + 8249 Covet 0x0000000100a3bd94 FBMonotonicTimeGetCurrentSeconds + 159460010 Covet 0x0000000100a720f4 FBMonotonicTimeGetCurrentSeconds + 181664811 Covet 0x0000000100a71f40 FBMonotonicTimeGetCurrentSeconds + 1816212...26 Covet 0x0000000100329600 Covet + 279091227 libdyld.dylib 0x000000019b8ea8b8 <redacted> + 4
__text:000000010099E130 sub_10099E130 ; DATA XREF: -[TJGCDAsyncSocket acceptOnInterface:port:error:]+B0 o __text:000000010099E1F4 BL _bind__text:000000010099E1F8 CMN W0, #1 __text:000000010099E220 ADRP X2, #cfstr_ErrorInListenF@PAGE ; "Error in listen() function"__text:000000010099E224 ADD X2, X2, #cfstr_ErrorInListenF@PAGEOFF ; "Error in listen() function" __text:000000010099E314 RET
__text:00000001009F1FBC ; id __cdecl +[TJCacheProtocol cacheServer](TJCacheProtocol_meta *self, SEL)__text:00000001009F1FBC __TJCacheProtocol_cacheServer_ ; DATA XREF: __objc_const:0000000101566448 o __text:00000001009F20F0 BL _objc_msgSend__text:00000001009F20F4 MOV X24, X0 __text:00000001009F2118 ADRP X3, #cfstr_TapjoyCacheRea@PAGE ; "Tapjoy cache ready"__text:00000001009F211C ADD X3, X3, #cfstr_TapjoyCacheRea@PAGEOFF ; "Tapjoy cache ready" __text:00000001009F218C ; End of function +[TJCacheProtocol cacheServer]
Building Signature for Network Services
To collect system network service APIs, we travel the pointer in the call stack from top to
bottom until we find the API the app code invoked.
Call stack
Method
0 binddetours.dylib 0x0000000101aaf758 _Z9hook_bindiPK8sockaddrj + 17641 Covet 0x0000000100a1e1f8 FBMonotonicTimeGetCurrentSeconds + 14728442 Covet 0x0000000100a1e608 FBMonotonicTimeGetCurrentSeconds + 14738843 libdispatch.dylib 0x000000019b8b9770 <redacted> + 164 libdispatch.dylib 0x000000019b8c49c4 <redacted> + 1005 Covet 0x0000000100a1e080 FBMonotonicTimeGetCurrentSeconds + 14724686 Covet 0x0000000100a3be60 FBMonotonicTimeGetCurrentSeconds + 15948047 libdispatch.dylib 0x000000019b8b9770 <redacted> + 168 libdispatch.dylib 0x000000019b8c471c <redacted> + 8249 Covet 0x0000000100a3bd94 FBMonotonicTimeGetCurrentSeconds + 159460010 Covet 0x0000000100a720f4 FBMonotonicTimeGetCurrentSeconds + 181664811 Covet 0x0000000100a71f40 FBMonotonicTimeGetCurrentSeconds + 1816212...26 Covet 0x0000000100329600 Covet + 279091227 libdyld.dylib 0x000000019b8ea8b8 <redacted> + 4
__text:000000010099E130 sub_10099E130 ; DATA XREF: -[TJGCDAsyncSocket acceptOnInterface:port:error:]+B0 o __text:000000010099E1F4 BL _bind__text:000000010099E1F8 CMN W0, #1 __text:000000010099E220 ADRP X2, #cfstr_ErrorInListenF@PAGE ; "Error in listen() function"__text:000000010099E224 ADD X2, X2, #cfstr_ErrorInListenF@PAGEOFF ; "Error in listen() function" __text:000000010099E314 RET
__text:00000001009F1FBC ; id __cdecl +[TJCacheProtocol cacheServer](TJCacheProtocol_meta *self, SEL)__text:00000001009F1FBC __TJCacheProtocol_cacheServer_ ; DATA XREF: __objc_const:0000000101566448 o __text:00000001009F20F0 BL _objc_msgSend__text:00000001009F20F4 MOV X24, X0 __text:00000001009F2118 ADRP X3, #cfstr_TapjoyCacheRea@PAGE ; "Tapjoy cache ready"__text:00000001009F211C ADD X3, X3, #cfstr_TapjoyCacheRea@PAGEOFF ; "Tapjoy cache ready" __text:00000001009F218C ; End of function +[TJCacheProtocol cacheServer]
Call Stack Analysis
Building Signature for Network Services
Stacks have no enough information, we map the call stacks to Token = t1 ◦ t2 ◦ … ◦ ti.
Call stack
MethodToken
0 binddetours.dylib 0x0000000101aaf758 _Z9hook_bindiPK8sockaddrj + 17641 Covet 0x0000000100a1e1f8 FBMonotonicTimeGetCurrentSeconds + 14728442 Covet 0x0000000100a1e608 FBMonotonicTimeGetCurrentSeconds + 14738843 libdispatch.dylib 0x000000019b8b9770 <redacted> + 164 libdispatch.dylib 0x000000019b8c49c4 <redacted> + 1005 Covet 0x0000000100a1e080 FBMonotonicTimeGetCurrentSeconds + 14724686 Covet 0x0000000100a3be60 FBMonotonicTimeGetCurrentSeconds + 15948047 libdispatch.dylib 0x000000019b8b9770 <redacted> + 168 libdispatch.dylib 0x000000019b8c471c <redacted> + 8249 Covet 0x0000000100a3bd94 FBMonotonicTimeGetCurrentSeconds + 159460010 Covet 0x0000000100a720f4 FBMonotonicTimeGetCurrentSeconds + 181664811 Covet 0x0000000100a71f40 FBMonotonicTimeGetCurrentSeconds + 1816212...26 Covet 0x0000000100329600 Covet + 279091227 libdyld.dylib 0x000000019b8ea8b8 <redacted> + 4
__text:000000010099E130 sub_10099E130 ; DATA XREF: -[TJGCDAsyncSocket acceptOnInterface:port:error:]+B0 o __text:000000010099E1F4 BL _bind__text:000000010099E1F8 CMN W0, #1 __text:000000010099E220 ADRP X2, #cfstr_ErrorInListenF@PAGE ; "Error in listen() function"__text:000000010099E224 ADD X2, X2, #cfstr_ErrorInListenF@PAGEOFF ; "Error in listen() function" __text:000000010099E314 RET
__text:00000001009F1FBC ; id __cdecl +[TJCacheProtocol cacheServer](TJCacheProtocol_meta *self, SEL)__text:00000001009F1FBC __TJCacheProtocol_cacheServer_ ; DATA XREF: __objc_const:0000000101566448 o __text:00000001009F20F0 BL _objc_msgSend__text:00000001009F20F4 MOV X24, X0 __text:00000001009F2118 ADRP X3, #cfstr_TapjoyCacheRea@PAGE ; "Tapjoy cache ready"__text:00000001009F211C ADD X3, X3, #cfstr_TapjoyCacheRea@PAGEOFF ; "Tapjoy cache ready" __text:00000001009F218C ; End of function +[TJCacheProtocol cacheServer]
..."Error in listen() function"..."Error in listen() function"..."+[TJCacheProtocol cacheServer](TJCacheProtocol_meta *self, SEL)"..."Tapjoy cache ready"..."Tapjoy cache ready"...
Call Stack Analysis
Building Signature for Network Services
Tokens corresponding to call stacks is a mixture of third-party libraries and developer’s ti.
Third-Party library code
Developer code
Libby NOW
IPv4 IPv4Failed binding %s listening socket: %s (%i) Failed binding %s listening socket: %s (%i)Failed creating %s listening socket: %s (%i) Failed creating %s listening socket: %s (%i)… …GCDWebServerDelegate *_delegate GCDWebServerDelegate *_delegateOS_dispatch_source *_source4 NSDictionary *_options
…GCDWebServer *_webServer
Tokens of two apps
Call Stack Analysis
Building Signature for Network Services
We assign the ti of third-party libraries a larger weight to increase the similarity ratio of two
different call stacks.
Weight
Libby NOW
IPv4 IPv4Failed binding %s listening socket: %s (%i) Failed binding %s listening socket: %s (%i)Failed creating %s listening socket: %s (%i) Failed creating %s listening socket: %s (%i)… …GCDWebServerDelegate *_delegate GCDWebServerDelegate *_delegateOS_dispatch_source *_source4 NSDictionary *_options
…GCDWebServer *_webServer
Weighted Edit Distance
Call Stack Analysis
Building Signature for Network Services
In practice, we duplicate ti multiple times according to the weight assigned to it. Then use
Levenshtein edit distance ratio algorithm to compute the similarity of two new Tokens.
Libby NOW
[[4, "\"IPv4\""], [4, "\"IPv4\""], [4, "\"IPv6\""], [4, "\"IPv6\""], [4, "\"Failed binding %s listening socket: %s (%i)\""], [4, "\"Failed binding %s listening socket: %s (%i)\""], [4, "\"IPv4\""], [4, "\"IPv4\""], [4, "\"IPv6\""], [4, "\"IPv6\""], [4, "\"Failed creating %s listening socket: %s (%i)\""], [4, "\"Failed creating %s listening socket: %s (%i)\""], [4, "\"IPv4\""], [4, "\"IPv4\""], [4, "\"IPv6\""], [4, "\"IPv6\""], [4, "\"Failed starting %s listening socket: %s (%i)\""], [4, "\"Failed starting %s listening socket: %s (%i)\""], [3, "NSDictionary *_options"], [3, "NSDictionary *_options"], [3, "\"Port\""], [3, "\"Port\""], [3, "\"BindToLocalhost\""], [3, "\"BindToLocalhost\""], [3, "\"MaxPendingConnections\""], [3, "\"MaxPendingConnections\""], [3, "\"Failed retrieving socket address: %s (%i)\""], [3, "\"Failed retrieving socket address: %s (%i)\""], [3, "\"ServerName\""], [3, "\"ServerName\""], [3, "NSString *_serverName"], [3, "NSString *_serverName"], [3, "\"AuthenticationMethod\""], [3, "\"AuthenticationMethod\""], [3, "\"Basic\""], [3, "\"Basic\""], [3, "\"AuthenticationRealm\""], [3, "\"AuthenticationRealm\""], [3, "NSString *_authenticationRealm"], [3, "NSString *_authenticationRealm"], [3, "NSMutableDictionary *_authenticationBasicAccounts"], [3, "NSMutableDictionary *_authenticationBasicAccounts"], [3, "\"AuthenticationAccounts\""], [3,
[[5, "\"IPv4\""], [5, "\"IPv4\""], [5, "\"IPv6\""], [5, "\"IPv6\""], [5, "\"Failed binding %s listening socket: %s (%i)\""], [5, "\"Failed binding %s listening socket: %s (%i)\""], [5, "\"IPv4\""], [5, "\"IPv4\""], [5, "\"IPv6\""], [5, "\"IPv6\""], [5, "\"Failed creating %s listening socket: %s (%i)\""], [5, "\"Failed creating %s listening socket: %s (%i)\""], [5, "\"IPv4\""], [5, "\"IPv4\""], [5, "\"IPv6\""], [5, "\"IPv6\""], [5, "\"Failed starting %s listening socket: %s (%i)\""], [5, "\"Failed starting %s listening socket: %s (%i)\""], [4, "NSDictionary *_options"], [4, "NSDictionary *_options"], [4, "\"Port\""], [4, "\"Port\""], [4, "\"BindToLocalhost\""], [4, "\"BindToLocalhost\""], [4, "\"MaxPendingConnections\""], [4, "\"MaxPendingConnections\""], [4, "-[GCDWebServer _createListeningSocket:localAddress:length:maxPendingConnections:error:]"], [4, "\"Failed retrieving socket address: %s (%i)\""], [4, "\"Failed retrieving socket address: %s (%i)\""], [4, "-[GCDWebServer _createListeningSocket:localAddress:length:maxPendingConnections:error:]"], [4, "\"ServerName\""], [4, "\"ServerName\""], [4, "NSString *_serverName"], [4, "NSString
Call Stack Analysis
Building Signature for Network Services
The weighted edit distance can increase the distance ratio R of the call stacks for the same
third-party network service library in different apps, but has slightly less influence for different libraries.
Call Stack Analysis
Building Signature for Network Services
We evaluate each string in Token by leveraging the TF/IDF algorithm to obtain the
prominent string, which is used for identifying third-party network service libraries.
TF/IDF
Token Signature
$<$``\%@ started on port \%i and reachable at \%@'', ``GCDWebServer''$>$
Call Stack Analysis
Network Service of iOS Ecosystem
Insight: Network services are prevalent in iOS apps. Over 40.98% apps potentially invoke
system APIs to provide network services. The results show that apps in China are more
inclined to provide network services than those in the United States.
Large scale analysis by using system network service APIs
Insight: Apps in Game category are inclined
to provide network services.
System network services APIs across app categories
Network Service of iOS Ecosystem
Insight: Apps in Game category are inclined
to provide network services.
System network services APIs across app categories
Third-party network services libraries across app categories
Insight: The Game category mainly uses CocoaHTTPServer and Tapjoy-CocoaHTTPServer-Extension libraries may lead to the library misuse.
Network Service of iOS Ecosystem
Association of third-party network service libraries and system network service APIs
Layout of system network service APIs and third-party network service libraries
Third-party network service libraries
System network service APIs
Cocoa Async SocketGCDWebServer
Ionic s Webview
POSIX Layer (BSD sockets)
CFSocketSetAddress res_9_query ...
CocoaHTTPServerPureFTPd
Tapjoy
Systemcode
Network Service of iOS Ecosystem
Vulnerabilities in iOS Apps
Vulnerabilities in iOS Apps
Demo
Summary
Vulnerabilities: 11 in 1,300 seed apps, 92 in 168,951 apps
CVEs: CVE-2019-14924, CVE-2019-14951
• Network service is wildly used in iOS applications. • Vulnerabilities are wildly exist in these network services.
Mitigation:
App developers to use the loopback interface as much as possible to avoid unnecessary use of the LAN interface, and to enforce the deliberately designed access control when using the LAN interface.
To mitigate the attack via public Wi-Fi or cellular networks, we recommend network operators to implement stricter firewall strategies and block unknown connection attempts originating from the same LAN network.
System vendors such as Apple should also apply a host-based firewall.
Thank You
Static analysis tool: https://github.com/pwnzen-mobile/ Dynamic analysis and dataset: https://github.com/SiOS-Submission/SiOS Authentication needed app collection: www.appscan.io
