Visible to the public Biblio

Filters: Keyword is ios  [Clear All Filters]
2020-07-30
He, Yongzhong, Zhao, Xiaojuan, Wang, Chao.  2019.  Privacy Mining of Large-scale Mobile Usage Data. 2019 IEEE International Conference on Power, Intelligent Computing and Systems (ICPICS). :81—86.
While enjoying the convenience brought by mobile phones, users have been exposed to high risk of private information leakage. It is known that many applications on mobile devices read private data and send them to remote servers. However how, when and in what scale the private data are leaked are not investigated systematically in the real-world scenario. In this paper, a framework is proposed to analyze the usage data from mobile devices and the traffic data from the mobile network and make a comprehensive privacy leakage detection and privacy inference mining on a large scale of realworld mobile data. Firstly, this paper sets up a training dataset and trains a privacy detection model on mobile traffic data. Then classical machine learning tools are used to discover private usage patterns. Based on our experiments and data analysis, it is found that i) a large number of private information is transmitted in plaintext, and even passwords are transmitted in plaintext by some applications, ii) more privacy types are leaked in Android than iOS, while GPS location is the most leaked privacy in both Android and iOS system, iii) the usage pattern is related to mobile device price. Through our experiments and analysis, it can be concluded that mobile privacy leakage is pervasive and serious.
Liu, Junqiu, Wang, Fei, Zhao, Shuang, Wang, Xin, Chen, Shuhui.  2019.  iMonitor, An APP-Level Traffic Monitoring and Labeling System for iOS Devices. 2019 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC). :211—218.
In this paper, we propose the first traffic monitoring and labeling system for iOS devices, named iMonitor, which not just captures mobile network traffic in .pcap files, but also provides comprehensive APP-related and user-related information of captured packets. Through further analysis, one can obtain the exact APP or device where each packet comes from. The labeled traffic can be used in many research areas for mobile security, such as privacy leakage detection and user profiling. Given the implementation methodology of NetworkExtension framework of iOS 9+, APP labels of iMonitor are reliable enough so that labeled traffic can be regarded as training data for any traffic classification methods. Evaluations on real iPhones demonstrate that iMonitor has no notable impact upon user experience even with slight packet latency. Also, the experiment result supports our motivation that mobile traffic monitoring for iOS is absolutely necessary, as traffic generated by different OSes like Android and iOS are different and unreplaceable in researches.
Kellner, Ansgar, Horlboge, Micha, Rieck, Konrad, Wressnegger, Christian.  2019.  False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps. 2019 IEEE European Symposium on Security and Privacy (EuroS P). :1—14.
People increasingly rely on mobile devices for banking transactions or two-factor authentication (2FA) and thus trust in the security provided by the underlying operating system. Simultaneously, jailbreaks gain tremendous popularity among regular users for customizing their devices. In this paper, we show that both do not go well together: Jailbreaks remove vital security mechanisms, which are necessary to ensure a trusted environment that allows to protect sensitive data, such as login credentials and transaction numbers (TANs). We find that all but one banking app, available in the iOS App Store, can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks. Even worse, 44% of the banking apps do not even try to detect jailbreaks, revealing the prevalent, errant trust in the operating system's security. This study assesses the current state of security of banking apps and pleads for more advanced defensive measures for protecting user data.
2020-07-27
Dangiwa, Bello Ahmed, Kumar, Smitha S.  2018.  A Business Card Reader Application for iOS devices based on Tesseract. 2018 International Conference on Signal Processing and Information Security (ICSPIS). :1–4.
As the accessibility of high-resolution smartphone camera has increased and an improved computational speed, it is now convenient to build Business Card Readers on mobile phones. The project aims to design and develop a Business Card Reader (BCR) Application for iOS devices, using an open-source OCR Engine - Tesseract. The system accuracy was tested and evaluated using a dataset of 55 digital business cards obtained from an online repository. The accuracy result of the system was up to 74% in terms of both text recognition and data detection. A comparative analysis was carried out against a commercial business card reader application and our application performed vastly reasonable.
Sudozai, M. A. K., Saleem, Shahzad.  2018.  Profiling of secure chat and calling apps from encrypted traffic. 2018 15th International Bhurban Conference on Applied Sciences and Technology (IBCAST). :502–508.
Increased use of secure chat and voice/ video apps has transformed the social life. While the benefits and facilitations are seemingly limitless, so are the asscoiacted vulnerabilities and threats. Besides ensuring confidentiality requirements for common users, known facts of non-readable contents over the network make these apps more attractive for criminals. Though access to contents of cryptograhically secure sessions is not possible, network forensics of secure apps can provide interesting information which can be of great help during criminal invetigations. In this paper, we presented a novel framework of profiling the secure chat and voice/ video calling apps which can be employed to extract hidden patterns about the app, information of involved parties, activities of chatting, voice/ video calls, status indications and notifications while having no information of communication protocol of the app and its security architecture. Signatures of any secure app can be developed though our framework and can become base of a large scale solution. Our methodology is considered very important for different cases of criminal investigations and bussiness intelligence solutions for service provider networks. Our results are applicable to any mobile platform of iOS, android and windows.
Pandey, Ashutosh, Khan, Rijwan, Srivastava, Akhilesh Kumar.  2018.  Challenges in Automation of Test Cases for Mobile Payment Apps. 2018 4th International Conference on Computational Intelligence Communication Technology (CICT). :1–4.
Software Engineering is a field of new challenges every day. With every passing day, new technologies emerge. There was an era of web Applications, but the time has changed and most of the web Applications are available as Mobile Applications as well. The Mobile Applications are either android based or iOS based. To deliver error free, secure and reliable Application, it is necessary to test the Applications properly. Software testing is a phase of software development life cycle, where we test an Application in all aspects. Nowadays different type of tools are available for testing an Application automatically but still we have too many challenges for applying test cases on a given Application. In this paper the authors will discuss the challenges of automation of test cases for a Mobile based payment Application.
Galuppo, Raúl Ignacio, Luna, Carlos, Betarte, Gustavo.  2018.  Security in iOS and Android: A Comparative Analysis. 2018 37th International Conference of the Chilean Computer Science Society (SCCC). :1–8.
This paper presents a detailed analysis of some relevant security features of iOS and Android -the two most popular operating systems for mobile devices- from the perspective of user privacy. In particular, permissions that can be modified at run time on these platforms are analyzed. Additionally, a framework is introduced for permission analysis, a hybrid mobile application that can run on both iOS and Android. The framework, which can be extended, places special emphasis on the relationship between the user's privacy and the permission system.
Dar, Muneer Ahmad, Nisar Bukhari, Syed, Khan, Ummer Iqbal.  2018.  Evaluation of Security and Privacy of Smartphone Users. 2018 Fourth International Conference on Advances in Electrical, Electronics, Information, Communication and Bio-Informatics (AEEICB). :1–4.
The growing use of smart phones has also given opportunity to the intruders to create malicious apps thereby the security and privacy concerns of a novice user has also grown. This research focuses on the privacy concerns of a user who unknowingly installs a malicious apps created by the programmer. In this paper we created an attack scenario and created an app capable of compromising the privacy of the users. After accepting all the permissions by the user while installing the app, the app allows us to track the live location of the Android device and continuously sends the GPS coordinates to the server. This spying app is also capable of sending the call log details of the user. This paper evaluates two leading smart phone operating systems- Android and IOS to find out the flexibility provided by the two operating systems to their programmers to create the malicious apps.
2020-02-10
Marin, M\u ad\u alina Angelica, Carabas, Costin, Deaconescu, R\u azvan, T\u apus, Nicolae.  2019.  Proactive Secure Coding for iOS Applications. 2019 18th RoEduNet Conference: Networking in Education and Research (RoEduNet). :1–5.

In this paper we propose a solution to support iOS developers in creating better applications, to use static analysis to investigate source code and detect secure coding issues while simultaneously pointing out good practices and/or secure APIs they should use.

2019-09-05
Deshotels, Luke, Deaconescu, Razvan, Carabas, Costin, Manda, Iulia, Enck, William, Chiroiu, Mihai, Li, Ninghui, Sadeghi, Ahmad-Reza.  2018.  iOracle: Automated Evaluation of Access Control Policies in iOS. Proceedings of the 2018 on Asia Conference on Computer and Communications Security. :117-131.

Modern operating systems, such as iOS, use multiple access control policies to define an overall protection system. However, the complexity of these policies and their interactions can hide policy flaws that compromise the security of the protection system. We propose iOracle, a framework that logically models the iOS protection system such that queries can be made to automatically detect policy flaws. iOracle models policies and runtime context extracted from iOS firmware images, developer resources, and jailbroken devices, and iOracle significantly reduces the complexity of queries by modeling policy semantics. We evaluate iOracle by using it to successfully triage executables likely to have policy flaws and comparing our results to the executables exploited in four recent jailbreaks. When applied to iOS 10, iOracle identifies previously unknown policy flaws that allow attackers to modify or bypass access control policies. For compromised system processes, consequences of these policy flaws include sandbox escapes (with respect to read/write file access) and changing the ownership of arbitrary files. By automating the evaluation of iOS access control policies, iOracle provides a practical approach to hardening iOS security by identifying policy flaws before they are exploited.

2019-01-16
Horton, M., Samanta, B., Reid, C., Chen, L., Kadlec, C..  2018.  Development of a Secure, Heterogeneous Cloud Robotics Infrastructure: Implementing a Mesh VPN and Robotic File System Security Practices. SoutheastCon 2018. :1–8.

Robotics and the Internet of Things (IoT) are enveloping our society at an exponential rate due to lessening costs and better availability of hardware and software. Additionally, Cloud Robotics and Robot Operating System (ROS) can offset onboard processing power. However, strong and fundamental security practices have not been applied to fully protect these systems., partially negating the benefits of IoT. Researchers are therefore tasked with finding ways of securing communications and systems. Since security and convenience are oftentimes at odds, securing many heterogeneous components without compromising performance can be daunting. Protecting systems from attacks and ensuring that connections and instructions are from approved devices, all while maintaining the performance is imperative. This paper focuses on the development of security best practices and a mesh framework with an open-source, multipoint-to-multipoint virtual private network (VPN) that can tie Linux, Windows, IOS., and Android devices into one secure fabric, with heterogeneous mobile robotic platforms running ROSPY in a secure cloud robotics infrastructure.

2018-02-28
Wilson, Rodney, Chi, Hongmei.  2017.  A Case Study for Mobile Device Forensics Tools. Proceedings of the SouthEast Conference. :154–157.
Smartphones have become a prominent part of our technology driven world. When it comes to uncovering, analyzing and submitting evidence in today's criminal investigations, mobile phones play a more critical role. Thus, there is a strong need for software tools that can help investigators in the digital forensics field effectively analyze smart phone data to solve crimes. This paper will accentuate how digital forensic tools assist investigators in getting data acquisition, particularly messages, from applications on iOS smartphones. In addition, we will lay out the framework how to build a tool for verifying data integrity for any digital forensics tool.
Krupp, B., Sridhar, N., Zhao, W..  2017.  SPE: Security and Privacy Enhancement Framework for Mobile Devices. IEEE Transactions on Dependable and Secure Computing. 14:433–446.

In this paper, we present a security and privacy enhancement (SPE) framework for unmodified mobile operating systems. SPE introduces a new layer between the application and the operating system and does not require a device be jailbroken or utilize a custom operating system. We utilize an existing ontology designed for enforcing security and privacy policies on mobile devices to build a policy that is customizable. Based on this policy, SPE provides enhancements to native controls that currently exist on the platform for privacy and security sensitive components. SPE allows access to these components in a way that allows the framework to ensure the application is truthful in its declared intent and ensure that the user's policy is enforced. In our evaluation we verify the correctness of the framework and the computing impact on the device. Additionally, we discovered security and privacy issues in several open source applications by utilizing the SPE Framework. From our findings, if SPE is adopted by mobile operating systems producers, it would provide consumers and businesses the additional privacy and security controls they demand and allow users to be more aware of security and privacy issues with applications on their devices.

Demetriou, Soteris, Zhang, Nan, Lee, Yeonjoon, Wang, XiaoFeng, Gunter, Carl A., Zhou, Xiaoyong, Grace, Michael.  2017.  HanGuard: SDN-driven Protection of Smart Home WiFi Devices from Malicious Mobile Apps. Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. :122–133.
A new development of smart-home systems is to use mobile apps to control IoT devices across a Home Area Network (HAN). As verified in our study, those systems tend to rely on the Wi-Fi router to authenticate other devices. This treatment exposes them to the attack from malicious apps, particularly those running on authorized phones, which the router does not have information to control. Mitigating this threat cannot solely rely on IoT manufacturers, which may need to change the hardware on the devices to support encryption, increasing the cost of the device, or software developers who we need to trust to implement security correctly. In this work, we present a new technique to control the communication between the IoT devices and their apps in a unified, backward-compatible way. Our approach, called HanGuard, does not require any changes to the IoT devices themselves, the IoT apps or the OS of the participating phones. HanGuard uses an SDN-like approach to offer fine-grained protection: each phone runs a non-system userspace Monitor app to identify the party that attempts to access the protected IoT device and inform the router through a control plane of its access decision; the router enforces the decision on the data plane after verifying whether the phone should be allowed to talk to the device. We implemented our design over both Android and iOS (\textbackslashtextgreater 95% of mobile OS market share) and a popular router. Our study shows that HanGuard is both efficient and effective in practice.
2017-08-02
Squires, Walter, Centonze, Paolina.  2016.  Cross-platform Access-rights Analysis of Mobile Applications. Proceedings of the International Conference on Mobile Software Engineering and Systems. :295–296.

We live in the era of mobile computing. Mobile devices have more sensors and more capabilities than desktop computers. For any computing device that contains sensitive information and accesses the Internet, security is a major concern for both enterprises and end-users. Of the mobile devices commonly in The emphasis of this research focuses on to the ways in which the popular iOS and Android platforms handle permissions in an attempt to discern if there are any identifiable trends on either platform w.r.t. applications being over- or underprivileged.

2017-03-20
Dormann, Will.  2016.  Google Authentication Risks on iOS. Proceedings of the 1st International Workshop on Mobile Development. :3–5.

The Google Identity Platform is a system that allows a user to sign in to applications and other services by using a Google account. Google Sign-In is one such method for providing one’s identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.) do not have the same experience. The user experience when logging in to a Google account on an iOS application can not only be more tedious than the Android experience, but it also conditions users to engage in behaviors that put the information in their Google accounts at risk.

Asharov, Gilad, Naor, Moni, Segev, Gil, Shahaf, Ido.  2016.  Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-dimensional Balanced Allocations. Proceedings of the Forty-eighth Annual ACM Symposium on Theory of Computing. :1101–1114.

Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of non-contiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer). We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly-optimal read efficiency. Specifically, for a database of size N, under the modest assumption that no keyword appears in more than N1 − 1/loglogN documents, we construct a scheme with read efficiency Õ(loglogN). This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT ’14) showing that any SSE scheme must be sub-optimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency Õ(logN). Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (“balls and bins”) problem that we put forward. We construct nearly-optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.

Swami, Shivam, Rakshit, Joydeep, Mohanram, Kartik.  2016.  SECRET: Smartly EnCRypted Energy Efficient Non-volatile Memories. Proceedings of the 53rd Annual Design Automation Conference. :166:1–166:6.

Data persistence in emerging non-volatile memories (NVMs) poses a multitude of security vulnerabilities, motivating main memory encryption for data security. However, practical encryption algorithms demonstrate strong diffusion characteristics that increase cell flips, resulting in increased write energy/latency and reduced lifetime of NVMs. State-of-the-art security solutions have focused on reducing the encryption penalty (increased write energy/latency and reduced memory lifetime) in single-level cell (SLC) NVMs; however, the realization of low encryption penalty solutions for multi-/triple-level cell (MLC/TLC) secure NVMs remains an open area of research. This work synergistically integrates zero-based partial writes with XOR-based energy masking to realize Smartly EnCRypted Energy efficienT, i.e., SECRET MLC/TLC NVMs, without compromising the security of the underlying encryption technique. Our simulations on an MLC (TLC) resistive RAM (RRAM) architecture across SPEC CPU2006 workloads demonstrate that for 6.25% (7.84%) memory overhead, SECRET reduces write energy by 80% (63%), latency by 37% (49%), and improves memory lifetime by 63% (56%) over conventional advanced encryption standard-based (AES-based) counter mode encryption.

Pouliot, David, Wright, Charles V..  2016.  The Shadow Nemesis: Inference Attacks on Efficiently Deployable, Efficiently Searchable Encryption. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :1341–1352.

Encrypting Internet communications has been the subject of renewed focus in recent years. In order to add end-to-end encryption to legacy applications without losing the convenience of full-text search, ShadowCrypt and Mimesis Aegis use a new cryptographic technique called "efficiently deployable efficiently searchable encryption" (EDESE) that allows a standard full-text search system to perform searches on encrypted data. Compared to other recent techniques for searching on encrypted data, EDESE schemes leak a great deal of statistical information about the encrypted messages and the keywords they contain. Until now, the practical impact of this leakage has been difficult to quantify. In this paper, we show that the adversary's task of matching plaintext keywords to the opaque cryptographic identifiers used in EDESE can be reduced to the well-known combinatorial optimization problem of weighted graph matching (WGM). Using real email and chat data, we show how off-the-shelf WGM solvers can be used to accurately and efficiently recover hundreds of the most common plaintext keywords from a set of EDESE-encrypted messages. We show how to recover the tags from Bloom filters so that the WGM solver can be used with the set of encrypted messages that utilizes a Bloom filter to encode its search tags. We also show that the attack can be mitigated by carefully configuring Bloom filter parameters.

Deshotels, Luke, Deaconescu, Razvan, Chiroiu, Mihai, Davi, Lucas, Enck, William, Sadeghi, Ahmad-Reza.  2016.  SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :704–716.

Recent literature on iOS security has focused on the malicious potential of third-party applications, demonstrating how developers can bypass application vetting and code-level protections. In addition to these protections, iOS uses a generic sandbox profile called "container" to confine malicious or exploited third-party applications. In this paper, we present the first systematic analysis of the iOS container sandbox profile. We propose the SandScout framework to extract, decompile, formally model, and analyze iOS sandbox profiles as logic-based programs. We use our Prolog-based queries to evaluate file-based security properties of the container sandbox profile for iOS 9.0.2 and discover seven classes of exploitable vulnerabilities. These attacks affect non-jailbroken devices running later versions of iOS. We are working with Apple to resolve these attacks, and we expect that SandScout will play a significant role in the development of sandbox profiles for future versions of iOS.

Bellare, Mihir, Hoang, Viet Tung, Tessaro, Stefano.  2016.  Message-Recovery Attacks on Feistel-Based Format Preserving Encryption. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :444–455.

We give attacks on Feistel-based format-preserving encryption (FPE) schemes that succeed in message recovery (not merely distinguishing scheme outputs from random) when the message space is small. For \$4\$-bit messages, the attacks fully recover the target message using \$2textasciicircum1 examples for the FF3 NIST standard and \$2textasciicircum5 examples for the FF1 NIST standard. The examples include only three messages per tweak, which is what makes the attacks non-trivial even though the total number of examples exceeds the size of the domain. The attacks are rigorously analyzed in a new definitional framework of message-recovery security. The attacks are easily put out of reach by increasing the number of Feistel rounds in the standards.

Jo, Je-Gyeong, Ryou, Jae-cheol.  2016.  HTML and PDF Fuzzing Methodology in iOS. Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication. :8:1–8:5.

iOS is well-known operating system which is strong in security. However, many attacking methods of iOS have recently been published which are called "Masque Attack", "Null Dereference" and "Italy Hacking Team's RCS". Therefore, security and safety is not suitable word to iOS. In addition, many security researchers have a problem to analyze iOS because the iOS is difficult to debug because of closed source. So, we propose a new security testing method for iOS. At first, we perform to fuzz iOS's web browser called MobileSafari. The MobileSafari is possible to express HTML, PDF and mp4, etc. We perform test abnormal HTML and PDF using our fuzzing method. We hope that our research can be helpful to iOS's security and safety.

Orikogbo, Damilola, Büchler, Matthias, Egele, Manuel.  2016.  CRiOS: Toward Large-Scale iOS Application Analysis. Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. :33–42.

Mobile applications - or apps - are one of the main reasons for the unprecedented success smart phones and tablets have experienced over the last decade. Apps are the main interfaces that users deal with when engaging in online banking, checking travel itineraries, or browsing their social network profiles while on the go. Previous research has studied various aspects of mobile application security including data leakage and privilege escalation through confused deputy attacks. However, the vast majority of mobile application research targets Google's Android platform. Few research papers analyze iOS applications and those that focus on the Apple environment perform their analysis on comparatively small datasets (i.e., thousands in iOS vs. hundreds of thousands in Android). As these smaller datasets call into question how representative the gained results are, we propose, implement, and evaluate CRiOS, a fully-automated system that allows us to amass comprehensive datasets of iOS applications which we subject to large-scale analysis. To advance academic research into the iOS platform and its apps, we plan on releasing CRiOS as an open source project. We also use CRiOS to aggregate a dataset of 43,404 iOS applications. Equipped with this dataset we analyze the collected apps to identify third-party libraries that are common among many applications. We also investigate the network communication endpoints referenced by the applications with respect to the endpoints' correct use of TLS/SSL certificates. In summary, we find that the average iOS application consists of 60.2% library classes and only 39.8% developer-authored content. Furthermore, we find that 9.32% of referenced network connection endpoints either entirely omit to cryptographically protect network communications or present untrustworthy SSL certificates.

Suarez, Drew, Mayer, Daniel.  2016.  Faux Disk Encryption: Realities of Secure Storage on Mobile Devices. Proceedings of the International Conference on Mobile Software Engineering and Systems. :283–284.

This paper reviews the challenges faced when securing data on mobile devices. After a discussion of the state-of-the-art of secure storage for iOS and Android, the paper introduces an attack which demonstrates how Full Disk Encryption (FDE) on Android can be ineffective in practice.

Dormann, Will.  Submitted.  Google Authentication Risks on iOS. Proceedings of the 1st International Workshop on Mobile Development. :3–5.

The Google Identity Platform is a system that allows a user to sign in to applications and other services by using a Google account. Google Sign-In is one such method for providing one’s identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.) do not have the same experience. The user experience when logging in to a Google account on an iOS application can not only be more tedious than the Android experience, but it also conditions users to engage in behaviors that put the information in their Google accounts at risk.