Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications

Johannes Feichtner; David Missmann; Raphael Spreitzer

doi:10.1145/3212480.3212487

Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications

Johannes Feichtner, David Missmann, Raphael Spreitzer

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

A wide range of mobile applications for Apple's iOS platform process sensitive data and, therefore, rely on protective mechanisms natively provided by the operating system. A wrong application of cryptography or security-critical APIs, however, exposes secrets to unrelated parties and undermines the overall security.

We introduce an approach for uncovering cryptographic misuse in iOS applications. We present a way to decompile 64-bit ARM binaries to their LLVM intermediate representation (IR). Based on the reverse-engineered code, static program slicing is applied to determine the data flow in relevant code segments. For this analysis to be most accurate, we propose an adapted version of Andersen's pointer analysis, capable of handling decompiled LLVM IR code with type information recovered from the binary. To finally highlight the improper usage of cryptographic APIs, a set of predefined security rules is checked against the extracted execution paths. As a result, we are not only able to confirm the existence of problematic statements in iOS applications but can also pinpoint their origin.

To evaluate the applicability of our solution and to disclose possible weaknesses, we conducted a manual and automated inspection on a set of iOS applications that include cryptographic functionality. We found that 343 out of 417 applications (82%) are subject to at least one security misconception. Among the most common flaws are the usage of non-random initialization vectors and constant encryption keys as input to cryptographic primitives.

Original language	English
Title of host publication	Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks
Place of Publication	New York
Publisher	Association of Computing Machinery
Pages	236-247
Number of pages	12
ISBN (Print)	978-1-4503-5731-9
DOIs	https://doi.org/10.1145/3212480.3212487
Publication status	Published - 2018
Event	ACM Conference on Security and Privacy in Wireless and Mobile Networks - Stockholm, Sweden Duration: 18 Jun 2018 → 20 Jun 2018 https://wisec18.conf.kth.se/

Conference

Conference	ACM Conference on Security and Privacy in Wireless and Mobile Networks
Abbreviated title	WiSec
Country/Territory	Sweden
City	Stockholm
Period	18/06/18 → 20/06/18
Internet address	https://wisec18.conf.kth.se/

Keywords

iOS
Reverse Engineering
Program Analysis
Cryptographic Misuse

Access to Document

10.1145/3212480.3212487

wisec-p15Final published version, 746 KB

A-SIT - Secure Information Technology Center Austria
Stranacher, K., Dominikus, S., Leitold, H., Marsalek, A., Teufl, P., Bauer, W., Aigner, M. J., Rössler, T., Neuherz, E., Dietrich, K., Zefferer, T., Mangard, S., Payer, U., Orthacker, C., Lipp, P., Reiter, A., Knall, T., Bratko, H., Bonato, M., Suzic, B., Zwattendorfer, B., Kreuzhuber, S., Oswald, M. E., Tauber, A., Posch, R., Bratko, D., Feichtner, J., Ivkovic, M., Reimair, F., Wolkerstorfer, J. & Scheibelhofer, K.
21/05/99 → 6/08/20
Project: Research area

Best Paper Award
Feichtner, Johannes (Recipient), 20 Jun 2018
Prize: Prizes / Medals / Awards

Cite this

Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications. / Feichtner, Johannes; Missmann, David; Spreitzer, Raphael.
Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks. New York: Association of Computing Machinery, 2018. p. 236-247.

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Feichtner, J, Missmann, D & Spreitzer, R 2018, Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications. in Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks. Association of Computing Machinery, New York, pp. 236-247, ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden, 18/06/18. https://doi.org/10.1145/3212480.3212487

@inproceedings{535ac769b6c442669f07d71b62bbb65b,

title = "Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications",

abstract = "A wide range of mobile applications for Apple's iOS platform process sensitive data and, therefore, rely on protective mechanisms natively provided by the operating system. A wrong application of cryptography or security-critical APIs, however, exposes secrets to unrelated parties and undermines the overall security.We introduce an approach for uncovering cryptographic misuse in iOS applications. We present a way to decompile 64-bit ARM binaries to their LLVM intermediate representation (IR). Based on the reverse-engineered code, static program slicing is applied to determine the data flow in relevant code segments. For this analysis to be most accurate, we propose an adapted version of Andersen's pointer analysis, capable of handling decompiled LLVM IR code with type information recovered from the binary. To finally highlight the improper usage of cryptographic APIs, a set of predefined security rules is checked against the extracted execution paths. As a result, we are not only able to confirm the existence of problematic statements in iOS applications but can also pinpoint their origin.To evaluate the applicability of our solution and to disclose possible weaknesses, we conducted a manual and automated inspection on a set of iOS applications that include cryptographic functionality. We found that 343 out of 417 applications (82%) are subject to at least one security misconception. Among the most common flaws are the usage of non-random initialization vectors and constant encryption keys as input to cryptographic primitives.",

keywords = "iOS, Reverse Engineering, Program Analysis, Cryptographic Misuse",

author = "Johannes Feichtner and David Missmann and Raphael Spreitzer",

year = "2018",

doi = "10.1145/3212480.3212487",

language = "English",

isbn = "978-1-4503-5731-9",

pages = "236--247",

booktitle = "Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks",

publisher = "Association of Computing Machinery",

address = "United States",

note = "ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ; Conference date: 18-06-2018 Through 20-06-2018",

url = "https://wisec18.conf.kth.se/",

}

TY - GEN

T1 - Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications

AU - Feichtner, Johannes

AU - Missmann, David

AU - Spreitzer, Raphael

PY - 2018

Y1 - 2018

N2 - A wide range of mobile applications for Apple's iOS platform process sensitive data and, therefore, rely on protective mechanisms natively provided by the operating system. A wrong application of cryptography or security-critical APIs, however, exposes secrets to unrelated parties and undermines the overall security.We introduce an approach for uncovering cryptographic misuse in iOS applications. We present a way to decompile 64-bit ARM binaries to their LLVM intermediate representation (IR). Based on the reverse-engineered code, static program slicing is applied to determine the data flow in relevant code segments. For this analysis to be most accurate, we propose an adapted version of Andersen's pointer analysis, capable of handling decompiled LLVM IR code with type information recovered from the binary. To finally highlight the improper usage of cryptographic APIs, a set of predefined security rules is checked against the extracted execution paths. As a result, we are not only able to confirm the existence of problematic statements in iOS applications but can also pinpoint their origin.To evaluate the applicability of our solution and to disclose possible weaknesses, we conducted a manual and automated inspection on a set of iOS applications that include cryptographic functionality. We found that 343 out of 417 applications (82%) are subject to at least one security misconception. Among the most common flaws are the usage of non-random initialization vectors and constant encryption keys as input to cryptographic primitives.

AB - A wide range of mobile applications for Apple's iOS platform process sensitive data and, therefore, rely on protective mechanisms natively provided by the operating system. A wrong application of cryptography or security-critical APIs, however, exposes secrets to unrelated parties and undermines the overall security.We introduce an approach for uncovering cryptographic misuse in iOS applications. We present a way to decompile 64-bit ARM binaries to their LLVM intermediate representation (IR). Based on the reverse-engineered code, static program slicing is applied to determine the data flow in relevant code segments. For this analysis to be most accurate, we propose an adapted version of Andersen's pointer analysis, capable of handling decompiled LLVM IR code with type information recovered from the binary. To finally highlight the improper usage of cryptographic APIs, a set of predefined security rules is checked against the extracted execution paths. As a result, we are not only able to confirm the existence of problematic statements in iOS applications but can also pinpoint their origin.To evaluate the applicability of our solution and to disclose possible weaknesses, we conducted a manual and automated inspection on a set of iOS applications that include cryptographic functionality. We found that 343 out of 417 applications (82%) are subject to at least one security misconception. Among the most common flaws are the usage of non-random initialization vectors and constant encryption keys as input to cryptographic primitives.

KW - iOS

KW - Reverse Engineering

KW - Program Analysis

KW - Cryptographic Misuse

U2 - 10.1145/3212480.3212487

DO - 10.1145/3212480.3212487

M3 - Conference paper

SN - 978-1-4503-5731-9

SP - 236

EP - 247

BT - Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

PB - Association of Computing Machinery

CY - New York

T2 - ACM Conference on Security and Privacy in Wireless and Mobile Networks

Y2 - 18 June 2018 through 20 June 2018

ER -

Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications

Abstract

Conference

Keywords

Access to Document

Fingerprint

Projects

A-SIT - Secure Information Technology Center Austria

Prizes

Best Paper Award

Cite this