Description
Given the worldwide popularity of the iOS mobile operating system and the nature of the information processed and stored in iOS applications, vulnerable applications are threatening the privacy and security of millions of users and the security analysis of iOS applications becomes more important than ever before. Despite the widespread use of iOS applications, the analysis techniques for iOS applications are rather limited, lacking a generic procedure that allows for the analysis of iOS applications and the tracking down of disclosed vulnerabilities. This analysis is of utmost importance, as we first need to detect the vulnerability in order to be able to provide a patch for solving the security problem and enhance the application's security.
In this thesis, we propose several strategies which allow for a precise reverse engineering of iOS applications, along with the innovative application of the Supergraph concept, a graph-based representation of the binary, that makes it possible to spot vulnerabilities in iOS applications by means of an automatic analysis targeted to search for certain patterns in the Supergraph which represent vulnerabilities.
On this basis, we present a tool which has been developed in the scope of this thesis, in order to provide a generic framework comprising different analysis techniques and thus being able to detect diverse types of vulnerabilities. In particular, we will discuss techniques which extract information directly from the binaries in order to provide the necessary means for the reconstruction of the class hierarchy, the control flow and the data flow. Furthermore, we will demonstrate how the binary is finally represented by the Supergraph, and how certain patterns can hint to the presence of vulnerabilities.
The evaluation of the developed tool has shown, that it is capable of detecting vulnerabilities in iOS applications, as for instance, a specific type of vulnerability caused when using JavaScript to Objective-C Bridges. This type of vulnerability consists in processing attacker-controlled input without sanitizing, which can lead to remote code execution and thus makes it necessary to perform a data flow analysis to track the attacker-controlled input, in order to determine, if the application contains this vulnerability or not.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching