Description
Mobile devices are an important part of daily life while collecting and
storing a lot of privacy-related data. Static and dynamic analysis tools
enable detecting privacy violations of sensitive user data, on platforms like
iOS or Android. Understanding data sources and sinks in a mobile application
is an integral part of data flow analysis used by such tools. Most dynamic data
flow analysis tools manually categorize runtime methods before analysis, which
requires a lot of time, and, in the case of private iOS frameworks, introduces
inaccuracies since methods are not publicly available.
To reduce the need for previously categorizing iOS runtime functions, this thesis
presents an approach that shifts the focus to a set of classes whose instances are
integral to privacy-related iOS APIs.
coiFish, the tool presented in this thesis, cycles through observing different methods
to find occurrences of these classes of interest and by doing so dynamically identifies
data sources and sinks in an Objetive-C based iOS application. Additionally, data entering
or leaving an application’s context through sources and sinks is stored, and incoming and
outgoing network requests are logged to potentially match them to observed objects in the app.
Using coiFish, four open source applications were tested and evaluated regarding false
positives and negatives, as well as which tool-specific limitations caused analysis errors.
|