Location of Repository

PiOS: Detecting Privacy Leaks in iOS Applications

By Manuel Egele, Christopher Kruegel, Engin Kirda and Giovanni Vigna

Abstract

With the introduction of Apple’s iOS and Google’s Android operating systems, the sales of smartphones have exploded. These smartphones have become powerful devices that are basically miniature versions of personal computers. However, the growing popularity and sophistication of smartphones have also increased concerns about the privacy of users who operate these devices. These concerns have been exacerbated by the fact that it has become increasingly easy for users to install and execute third-party applications. To protect its users from malicious applications, Apple has introduced a vetting process. This vetting process should ensure that all applications conform to Apple’s (privacy) rules before they can be offered via the App Store. Unfortunately, this vetting process is not welldocumented, and there have been cases where malicious applications had to be removed from the App Store after user complaints. In this paper, we study the privacy threats that applications, written for Apple’s iOS, pose to users. To this end, we present a novel approach and a tool, PiOS, that allow us to analyze programs for possible leaks of sensitive information from a mobile device to third parties. PiOS uses static analysis to detect data flows in Mach-0 binaries, compiled from Objective-C code. This is a challenging task due to the way in which Objective-C method calls are implemented. We have analyzed more than 1,400 iPhone applications. Our experiments show that, with the exception of a few bad apples, most applications respect personal identifiable information stored on user’s devices. This is even true for applications that are hosted on an unofficial repository (Cydia) and that only run on jailbroken phones. However, we found that more than half of the applications surreptitiously leak the unique ID of the device they are running on. This allows third-parties to create detailed profiles of users’ application preferences and usage patterns.

Year: 2011
OAI identifier: oai:CiteSeerX.psu:10.1.1.185.2622
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • http://citeseerx.ist.psu.edu/v... (external link)
  • http://www.iseclab.org/papers/... (external link)
  • Suggested articles


    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.