Launching generic attacks on iOS with approved third-party applications
iOS is Apple’s mobile operating system, which is used on iPhone, iPad and iPod touch. Any third-party applications developed for iOS devices are required to go through Apple’s application vetting process and appear on the official iTunes App Store upon approval.When an application is downloaded from...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2013
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/1948 https://ink.library.smu.edu.sg/context/sis_research/article/2947/viewcontent/ACNS2013Han.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-2947 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-29472018-03-22T01:12:06Z Launching generic attacks on iOS with approved third-party applications HAN, Jin SU, Mon Kywe YAN, Qiang BAO, Feng DENG, Robert H. GAO, Debin LI, Yingjiu ZHOU, Jianying iOS is Apple’s mobile operating system, which is used on iPhone, iPad and iPod touch. Any third-party applications developed for iOS devices are required to go through Apple’s application vetting process and appear on the official iTunes App Store upon approval.When an application is downloaded from the store and installed on an iOS device, it is given a limited set of privileges, which are enforced by iOS application sandbox. Although details of the vetting process and the sandbox are kept as black box by Apple, it was generally believed that these iOS security mechanisms are effective in defending against malwares. In this paper, we propose a generic attack vector that enables thirdparty applications to launch attacks on non-jailbroken iOS devices. Following this generic attack mechanism, we are able to construct multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user’s awareness. Our applications embedded with the attack codes have passed Apple’s vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple’s vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. We further provide corresponding mitigation strategies for both vetting and sandbox mechanisms, in order to defend against the proposed attack vector. 2013-06-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/1948 info:doi/10.1007/978-3-642-38980-1_17 https://ink.library.smu.edu.sg/context/sis_research/article/2947/viewcontent/ACNS2013Han.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security HAN, Jin SU, Mon Kywe YAN, Qiang BAO, Feng DENG, Robert H. GAO, Debin LI, Yingjiu ZHOU, Jianying Launching generic attacks on iOS with approved third-party applications |
| description |
iOS is Apple’s mobile operating system, which is used on iPhone, iPad and iPod touch. Any third-party applications developed for iOS devices are required to go through Apple’s application vetting process and appear on the official iTunes App Store upon approval.When an application is downloaded from the store and installed on an iOS device, it is given a limited set of privileges, which are enforced by iOS application sandbox. Although details of the vetting process and the sandbox are kept as black box by Apple, it was generally believed that these iOS security mechanisms are effective in defending against malwares. In this paper, we propose a generic attack vector that enables thirdparty applications to launch attacks on non-jailbroken iOS devices. Following this generic attack mechanism, we are able to construct multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user’s awareness. Our applications embedded with the attack codes have passed Apple’s vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple’s vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. We further provide corresponding mitigation strategies for both vetting and sandbox mechanisms, in order to defend against the proposed attack vector. |
| format |
text |
| author |
HAN, Jin SU, Mon Kywe YAN, Qiang BAO, Feng DENG, Robert H. GAO, Debin LI, Yingjiu ZHOU, Jianying |
| author_facet |
HAN, Jin SU, Mon Kywe YAN, Qiang BAO, Feng DENG, Robert H. GAO, Debin LI, Yingjiu ZHOU, Jianying |
| author_sort |
HAN, Jin |
| title |
Launching generic attacks on iOS with approved third-party applications |
| title_short |
Launching generic attacks on iOS with approved third-party applications |
| title_full |
Launching generic attacks on iOS with approved third-party applications |
| title_fullStr |
Launching generic attacks on iOS with approved third-party applications |
| title_full_unstemmed |
Launching generic attacks on iOS with approved third-party applications |
| title_sort |
launching generic attacks on ios with approved third-party applications |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2013 |
| url |
https://ink.library.smu.edu.sg/sis_research/1948 https://ink.library.smu.edu.sg/context/sis_research/article/2947/viewcontent/ACNS2013Han.pdf |
| _version_ |
1770571694767865856 |