A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps

Applied Mathematics and Computation

Volumn 293, Issue , 2017, Pages 523-544

  D'Orazio, Christian J ^a   Lu, Rongxing ^b   Choo, Kim Kwang Raymond ^a,c,d   Vasilakos, Athanasios V ^e  

^a UNIVERSITY OF SOUTH AUSTRALIA   (Australia)

^b UNIVERSITY OF NEW BRUNSWICK   (Canada)

^c UNIVERSITY OF TEXAS AT SAN ANTONIO   (United States)

^d CHINA UNIVERSITY OF GEOSCIENCES   (China)

^e LULEÅ UNIVERSITY OF TECHNOLOGY   (Sweden)

Author keywords

iOS device vulnerability; Mobile device vulnerability; Mobile security and privacy; Mobile threats; Vulnerability discovery; Vulnerability exploitation

Indexed keywords

COPYRIGHTS; DIGITAL DEVICES; HEALTH INSURANCE; IOS (OPERATING SYSTEM); MOBILE DEVICES; RISK ASSESSMENT;

IOS DEVICES; MOBILE THREATS; SECURITY AND PRIVACY; VULNERABILITY DISCOVERY; VULNERABILITY EXPLOITATION;

MOBILE SECURITY;

EID: 84986550725     PISSN: 00963003     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.amc.2016.08.051     Document Type: Article

References (68)

1. [1] Johnson, K., Jardine, K., SANS institute. Mob. Appl. Secur. Surv., 2013 viewed 17th July 2105 http://www.sans.org/reading-room/whitepapers/analyst/2013-mobile-application-security-survey-35080.
2. [2] ARXAN (2013), Threats to Mobile Apps in the Wild. https://www.arxan.com/wp-content/uploads/2015/01/Threats_to_Mobile_Apps_in_the_Wild_v0.3.pdf (accessed 17.07.15).
3. [3] Zdziarski, J., Identifying back doors, attack points, and surveillance mechanisms in iOS devices. Digit. Investig. 11:1 (2014), 3–19.
4. [4] HP (2013), HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack, http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865 (accessed 17.07.15).
5. [5] Apple (2015), iOS Security, https://www.apple.com/business/docs/iOS_Security_Guide.pdf (accessed 17.07.15).
6. [6] Apple (2006), Apple CommonCryptor Open Source, http://www.opensource.apple.com/source/CommonCrypto/CommonCrypto-36064/CommonCrypto/CommonCryptor.h (accessed 17.07.15).
7. [7] Apple (2007), CCCrypt Mac Developer Library Reference, https://developer.apple.com/library/ios/documentation/System/Conceptual/ManPages_iPhoneOS/man3/CCCrypt.3cc.html (accessed 17.07.15).
8. [8] Apple (2007), CCHmac Mac Developer Library Reference, https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/CCHmac.3cc.html (accessed 17.07.15).
9. [9] Apple (2012), CFString CoreFoundation Framework Reference, https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFStringRef/Reference/reference.html (accessed 17.07.15).
10. [10] OpenSSL Security Advisory (2014), TLS heartbeat read overrun (CVE-2014-0160), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 (accessed 17.07.15).
11. [11] J. Walton and J. Steven, OWASP (2014), Certificate and Public Key Pinning, https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning (accessed 17.07.15).
12. [12] A. Greenberg, Forbes (2013), Evasi0n Is The Most Popular Jailbreak Ever, http://www.forbes.com/sites/andygreenberg/2013/02/08/evasi0n-is-the-most-popular-jailbreak-ever-nearly-seven-million-ios-devices-hacked-in-four-days/ (accessed 17.07.15).
13. [13] J. Svanberg, B. Insight (2013), The Mobile Application Market, http://www.berginsight.com/ReportPDF/ProductSheet/bi-app1-ps.pdf (accessed 17.07.15).
14. [14] Marble Security (2014), Marble Labs Mobile threat Report, http://www.marblesecurity.com/wp-content/uploads/2015/06/MS_App-Threat-Report_June-2014.pdf (accessed 17.07.15).
15. [15] Stach, C., Mitschang, B., Privacy management for mobile platforms – A review of concepts and approaches. Proceedings of Fourteenth IEEE International Conference on Mobile Data Management, 2013, 305–313.
16. [16] Wang, T., Lu, K., Lu, L., Chang, S., Lee, W., Jekyll on iOS: When benign apps become evil. Proceedings of Twenty-second USENIX Conference on Security, 2013, 559–572.
17. [17] E. Rescorla, M. Ray, S. Dispensa, and N. Oskov (2010), Transport Layer Security (TLS) Renegotiation Indication Extension, http://tools.ietf.org/html/rfc5746 RFC 5746, (accessed 17.07.15).
18. [18] Apple Insider (2014), Hackers use ‘Find My iPhone’ to lockout, ransom Mac and iOS device owners in Australia, http://appleinsider.com/articles/14/05/27/hackers-break-into-lock-macs-and-ios-devices-for-ransom-in-australia (accessed 17.07.15).
19. [19] Appthority (2014), Mobile App Reputation Report,
20. [20] La Polla, M., Martinelli, F., Sgandurra, D., A survey on security for mobile devices. IEEE Commun. Surv. Tutor. 15:1 (2013), 446–471.
21. [21] Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V., The most dangerous code in the world: Validating SSL certificates in non-browser software. Proceedings of 2012 ACM conference on Computer and Communications Security, 2012, 38–49.
22. [22] Choo, K-K.R., Secure key establishment. Advances in Information Security, 41, 2009, Springer.
23. [23] Dolev, D., Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29:2 (1983), 198–208.
24. [24] Choo, K-K.R., Refuting security proofs for tripartite key exchange with model checker in planning problem setting. Proceedings of the 2006 IEEE Computer Security Foundations Workshop (CSFW), 2006, 297–308.
25. [25] Imgraben, J., Engelbrecht, A., Choo, K-K.R., Always connected, but are smart mobile users getting more security savvy? A survey of smart mobile device users. Behav. Inf. Technol. 33:12 (2014), 1347–1360.
26. [26] Miller, C., Blazakis, D., DaiZovi, D., Esser, S., Iozzo, V., Weinmann, R.P., iOS Hacker's Handbook. first ed., 2012, Wiley Publishing.
27. [27] iMAS, iOS Mobile Application Security, http://project-imas.github.io/ (accessed 17.07.15).
28. [28] Denim Groups (2011), Secure mobile application development reference, http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf (accessed 17.07.15).
29. [29] viaForensics (2012), Best practices for secure mobile development, https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/ (accessed 17.07.15).
30. [30] ENISA (2011), Smartphone secure development guidelines for app developers, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/smartphone-secure-development-guidelines/at_download/fullReport (accessed 17.07.15).
31. [31] A. Apvrille (2014), Inside the iOS/Adthief Malware, https://www.virusbtn.com/pdf/magazine/2014/vb201408-AdThief.pdf (accessed 17.07.15).
32. [32] Kaspersky Lab (2013), Anti-phishing Technology, http://docs.apwg.org/sponsors_technical_papers/Kaspersky_Lab_Whitepaper_Anti-Phishing_eng_final.pdf (accessed 17.07.15).
33. [33] APWG (2013), Mobile Threats and the Underground Marketplace, http://docs.apwg.org/reports/mobile/apwg_mobile_fraud_report_april_2013.pdf (accessed 17.07.15).
34. [34] Choo, K-K.R., New payment methods: A review of 2010–2012 FATF mutual evaluation reports. Comput. Secur. 36 (2013), 12–26.
35. [35] Dye, S.M., Scarfone, K., A standard for developing secure mobile applications. Comput. Stand. Interfaces 36:3 (2014), 524–530.
36. [36] NIST (2013), Guidelines for Managing the Security of Mobile Devices in the Enterprise, http://dx.doi.org/10.6028/NIST.SP.800-124r1 (accessed 17.07.15).
37. [37] NIST (2014), Technical Considerations for Vetting 3rd Party Mobile (Draft), http://csrc.nist.gov/publications/drafts/800-163/sp800_163_draft.pdf (accessed 17.07.15).
38. [38] Li, Y., Zhang, Y., Li, J., Gu, D., iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications. Proceedings of the Eighth International Conference on Network and System Security – NSS 2014, 8792, 2014, Springer-Verlag, Xi'an, China, 349–362 15–17 October.
39. [39] Yu, F., Huang, S., Chiou, L., Tsaih, R., Clustering iOS executable using self-organizing maps. Proceedings of the 2013 International Joint Conference on Neural Networks (IJCNN), 2013, 1–8.
40. [40] Zhongyang, Y., Xin, Z., Mao, B., Xie, L., DroidAlarm: An all-sided static analysis tool for Android privilege-escalation malware. Proceedings of the Eighth ACM SIGSAC Symposium on Information, Computer and Communications Security, 2013, 353–358.
41. [41] Seo, S., Gupta, A., Sallam, AM., Bertino, E., Yim, K., Detecting mobile malware threats to homeland security through static analysis. J. Netw. Comput. Appl. 38 (2014), 43–53.
42. [42] Yeh, C., Lu, H., Chen, C., Khor, K., Huang, S., CRAXDroid: Automatic android system testing by selective symbolic execution. Proceedings of the 2014 IEEE International Conference on Software Security and Reliability-Companion (SERE-C), 2014, 140–148.
43. [43] A. Sánchez (2014), Personal banking apps leak info through phone,(accessed 17.07.15). http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html?m=1.
44. [44] Spaulding, J., Krauss, A., Srinivasan, A., Exploring an open WiFi detection vulnerability as a malware attack vector on iOS devices. Proceedings of the 2012 International Conference on Malicious and Unwanted Software (MALWARE), 2012, 87–93.
45. [45] OWASP (2015), Zed Attack Proxy Project, (accessed 17.07.15). https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
46. [46] Park, M.W., Choi, Y.H., Eom, J.H., Chung, T.M., Dangerous Wi-Fi access point: attacks to benign smartphone applications. Pers. Ubiquitous Comput. 18:6 (2014), 1373–1386 accessed 17.07.15) doi: http://dx.doi.org/10.1007/s00779-013-0739-y >.
47. [47] Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S., AppIntent: Analyzing sensitive data transmission in android for privacy leakage detection. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2013, 1043–1054.
48. [48] Salerno, S., Sanzgiri, A., Upadhyaya, S., Exploration of Attacks on Current Generation Smartphones. Proceedings of the International Conference on Ambient Systems, Networks and Technologies (ANT-2011)/International Conference on Mobile Web Information Systems, 5, 2011, 546–553.
49. [49] Xing, L., Pan, X., Wang, R., Wang, K.X., Upgrading your android, elevating my malware: Privilege escalation through mobile OS updating. Proceedings of the 2014 IEEE Symposium on Security and Privacy, 2014, 393–408.
50. [50] NIST (2014), Samsung ‘Find My Mobile Flaw’ (vulnerability ID:CVE-2014-8346), (accessed 17.07.15), http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8346.
51. [51] Ham, Y.J., Lee, H.W., Lim, J.D., Kim, J.N., DroidVulMon – Android based mobile device vulnerability analysis and monitoring system. Proceedings of the 2013 International Conference on Next Generation Mobile Apps, Services and Technologies (NGMAST), 2013, 26–31.
52. [52] Quirolgico, S., Voas, J., Kuhn, R., Vetting mobile apps. IT Prof. 13:4 (2011), 9–11 accessed 17.07.15).
53. [53] OWASP (2014), Projects/OWASP Mobile Security Project – Top Ten Mobile Risks, (accessed 17.07.15) https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks.
54. [54] Bellare, M., Pointcheval, D., Rogaway, P., Authenticated key exchange secure against dictionary attacks. Proceedings of the 2000 EUROCRYPT, 2000, Springer–Verlag, 139–155 vol. 1807/2000 of LNCS.
55. [55] Bellare, M., Rogaway, P., Entity authentication and key distribution. Proceedings of the 1993 Advances in Cryptology, 773, 1993, Springer–Verlag, 232–249.
56. [56] A. Langley (2015), Maintaining digital certificate security, (accessed 17.07.15) http://googleonlinesecurity.blogspot.com.au/2015/03/maintaining-digital-certificate-security.html.
57. [57] Do, Q., Martini, B., Choo, K-K.R., Exfiltrating data from Android devices. Comput. Secur. 48 (2015), 74–91.
58. [58] D'Orazio, C., Choo, K-K.R., An adversary model to evaluate DRM protection of video contents on iOS devices. Comput. Secur. 56 (2016), 94–110.
59. [59] Beuhring, A., Salous, K., Beyond blacklisting: Cyberdefense in the era of advanced persistent threats. IEEE Secur. Priv. 12:5 (2014), 90–93.
60. [60] G. O'Gorman and G. McDonald, Symantec (2012), Ransomware: A Growing Menace, viewed 17th July 2015, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf.
61. [61] ZDnet (2016), Apple iPhone, iPad iOS 9 security flaw lets malicious apps sneak onto enterprise devices, (accessed 14.06.16). http://www.zdnet.com/article/apple-iphone-ipad-ios-9-security-flaw-lets-malicious-apps-sneak-onto-enterprise-devices/.
62. [62] Apple (2015), How to Delete an App that has a Configuration Profile on your iPhone, iPad, or iPod Touch, (accessed 14.06.16). https://support.apple.com/en-au/HT205347.
63. [63] Deng, Z., Saltaformaggio, B., Zhang, X., Xu, D., iRiS: Vetting private API abuse in iOS applications. Proceedings of the Twenty-second ACM SIGSAC Conference on Computer and Communications Security, 2015, 44–56.
64. [64] Do, Q., Martini, B., Choo, K-K.R., A forensically sound adversary model for mobile devices. PLOS ONE, 10(9), 2015, e0138449.
65. [65] Do, Q., Martini, B., Choo, K-K.R., A data exfiltration and remote exploitation attack on consumer 3D printers. IEEE Trans. Inf. Forensics Secure. 11:10 (2016), 2174–2186 http://dx.doi.org/10.1109/TIFS.2016.2578285.
66. [66] Do, Q., Martini, B., Choo, K-K.R., “Is the data on your wearable device secure? An Android Wear smartwatch case study”. Softw. Pract. Exp., 2016 http://dx.doi.org/10.1002/spe.2414.
67. [67] Azfar, A., Choo, K-K.R., Liu, L., An android social app forensics adversary model. Proceedings of Forty-ninth Annual Hawaii International Conference on System Sciences (HICSS 2016), 2016, 5597–5606.
68. [68] D'Orazio, C., Choo, K-K.R., A generic process to identify vulnerabilities and design weaknesses in iOS healthcare apps. Proceedings of Forty-eighth Annual Hawaii International Conference on System Sciences (HICSS 2015), 2015, 5175–5184.