Smartphone applications that listen for network connections introduce significant security and privacy threats for users. In this paper, we focus on vetting and analyzing the security of iOS apps’ network services. To this end, we develop an efficient and scalable iOS app collection tool to download 168,951 iOS apps in the wild. We investigate a set of 1,300 apps to understand the characteristics of network service vulnerabilities, confirming 11 vulnerabilities in popular apps, such as Waze, Now, and QQBrowser. From these vulnerabilities, we create signatures for a large-scale analysis of 168,951 iOS apps, which shows that the use of certain third-party libraries listening for remote connections is a common source of vulnerable network services in 92 apps. These vulnerabilities open up the iOS device to a host of possible attacks, including data leakage, remote command execution, and denial-of-service attacks. We have disclosed identified vulnerabilities and received acknowledgments from vendors.
|Title of host publication||Proceedings of the 29th USENIX Security Symposium|
|Place of Publication||Berkeley, CA|
|Number of pages||18|
|Publication status||Published - 2020|
|Event||29th USENIX Security Symposium - Boston Marriott Copley Place, Boston, United States|
Duration: 12 Aug 2020 → 14 Aug 2020
|Conference||29th USENIX Security Symposium|
|Abbreviated title||USENIX Security|
|Period||12/08/20 → 14/08/20|
Tang, Z., Tang, K., Xue, M., Tian, Y., Chen, S., Ikram, M., ... Zhu, H. (2020). iOS, your OS, everybody's OS: vetting and analyzing network services of iOS applications. In Proceedings of the 29th USENIX Security Symposium (pp. 2415-2432). Berkeley, CA: USENIX Association.