國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 17: The job progressing of pattern checking.
sequence analysis method we used before. Curreltly we have checked the defined pattern
”getUserLocation”, and we have checked 1322 applicatinos that were checked successfully, as show in ??. The second and third column is application name and pattern name. The checking result is represented in a JSON array form with method names in the last column.
This result can reveal that is an application use the right method to access user location authorization, and is the method is used in a proper way as Apple’s suggestion.
For currently result, we can find out an application that adopt some feature functions but not follow the pattern or official guideline. When these situations occur, it means that the application should be improve or checking the risk of the unexpected method call sequence.
5.4 Conclusion and evaluation
In the research, we create an automatic system, AppScan. Developing three di↵erent checking methods for checking methods existence, single subroutine sequential checking with LCS, and across subroutines sequential checking with two stage AllCS. By using these methods we can checking application behavior by using our defined checking patterns.
When checking methods existence within an app, we using each single subroutine as our input unit. By filtering and compare the class name with the checking pattern, we
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 18: The top 4 of evalJS checking result.
Figure 19: The evalJS LCS count result of an application.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 20: All patterns compare results between single subroutine and across subroutines checking methods.
Figure 21: Javascript core pattern compare results between single subroutine and across subroutines checking methods.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 22: LAPermit pattern compare results between single subroutine and across subroutines checking methods.
Figure 23: Get user location pattern compare results between single subroutine and across subroutines checking methods.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 24: Load by Webkit pattern compare results between single subroutine and across subroutines checking methods.
can finially figure out all the checking method usage distribution infomation.
In sequential checking scenario, we adopt the distributed longest common sequence (LCS) as our algorithm at first. Using each single subroutine as our input unit. Because of the reasons, AppScan can analysis multiple method sequences pattern in each subroutine within an application. Therefore, we can define any pattern we want to check with applications. Next, we use two stage AllCS methods to improve the results, and we can check the pattern across multiple subroutines. It greatly improves the sequence analysis method we used before.
However, these solutions still has some limitations, for example, the system have to update at all times with Apple iOS SDK, and I hope that these limitations will be figure out in next progress.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
References
[1] Apache hadoop. http://hadoop.apache.org/.
[2] ios developer api reference. https://developer.apple.com/reference/.
[3] ios release notes. https://developer.apple.com/library/content/
releasenotes/General/WhatsNewIniOS/.
[4] Pangu ios 9. Available online at urlhttp://www.pangu.io.
[5] stefanesser umpdecrypted. Available online at
url-https://github.com/stefanesser/dumpdecrypted.
[6] ios developer program license agreement.
https://developer.apple.com/programs/terms/ios/standard/
ios program standard agreement 20140909.pdf, jan 2016.
[7] Yuvraj Agarwal and Malcolm Hall. Protectmyprivacy: detecting and mitigating privacy leaks on ios devices using crowdsourcing. In Proceeding of the 11th annual international conference on Mobile systems, applications, and services, pages 97–110.
ACM, 2013.
[8] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. Flowdroid:
Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for an-droid apps. Acm Sigplan Notices, 49(6):259–269, 2014.
[9] User Interface Design Group at MIT. Sikuli. http://www.sikuli.org/.
[10] Gleison Brito, Andre Hora, Marco Tulio Valente, and Romain Robbes. Do developers deprecate apis with replacement messages? a large-scale analysis on java systems. In Software Analysis, Evolution, and Reengineering (SANER), 2016 IEEE 23rd Inter-national Conference on, volume 1, pages 360–369. IEEE, 2016.
‧
[11] Je↵rey Dean and Sanjay Ghemawat. Mapreduce: Simplified data processing on large clusters. Commun. ACM, 51(1):107–113, January 2008.
[12] Je↵rey Dean and Sanjay Ghemawat. Mapreduce: simplified data processing on large clusters. Communications of the ACM, 51(1):107–113, 2008.
[13] Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. iris: Vetting private API abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-6, 2015, pages 44–56, 2015.
[14] Adam Shook Donald Miner. MapReduce Design Patterns. O’Reilly Media, May 2012.
[15] Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. Pios: De-tecting privacy leaks in ios applications. In NDSS, 2011.
[16] William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. Taintdroid:
an information-flow tracking system for realtime privacy monitoring on smartphones.
ACM Transactions on Computer Systems (TOCS), 32(2):5, 2014.
[17] Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and David Wag-ner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 3–14. ACM, 2011.
[18] Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. Apposcopy: Semantics-based detection of android malware through static analysis. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 576–587. ACM, 2014.
[19] Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. Checking app behavior against app descriptions. In Proceedings of the 36th International Confer-ence on Software Engineering, pages 1025–1035. ACM, 2014.
‧
[20] Jin Han, Qiang Yan, Debin Gao, Jianying Zhou, and Huijie Robert DENG. Android or ios for better privacy protection? 2014.
[21] Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. Asdroid:
Detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In Proceedings of the 36th International Conference on Soft-ware Engineering, pages 1036–1046. ACM, 2014.
[22] Apple Inc. Apple worldwide developers conference 2015. https://developer.
apple.com/videos/wwdc2015/, 2015.
[23] Mariantonietta La Polla, Fabio Martinelli, and Daniele Sgandurra. A survey on security for mobile devices. IEEE communications surveys & tutorials, 15(1):446–
471, 2013.
[24] Li Li, Alexandre Bartel, Tegawend´e F Bissyand´e, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mc-Daniel. Iccta: Detecting inter-component privacy leaks in android apps. In Proceed-ings of the 37th International Conference on Software Engineering-Volume 1, pages 280–291. IEEE Press, 2015.
[25] Li Li, Tegawend´e F Bissyand´e, Damien Octeau, and Jacques Klein. Droidra: Taming reflection to support whole-program analysis of android apps. In Proceedings of the 25th International Symposium on Software Testing and Analysis, pages 318–329.
ACM, 2016.
[26] Benjamin Livshits and Jaeyeon Jung. Automatic mediation of privacy-sensitive re-source access in smartphone applications. In Proceedings of the 22th USENIX Secu-rity Symposium, Washington, DC, USA, August 14-16, 2013, pages 113–130.
[27] Tyler McDonnell, Baishakhi Ray, and Miryung Kim. An empirical study of api stability and adoption in the android ecosystem. In Software Maintenance (ICSM), 2013 29th IEEE International Conference on, pages 70–79. IEEE, 2013.
‧
[28] Shinya Kasatani Patrick Lightbody Julian Harty Jennifer Bevan Haw-Bin Chai Philippe Hanrigou, Jason Huggins et al. selenium. http://www.seleniumhq.
org/, 2008. [Online; accessed 19-July-2008].
[29] Hex-Rays SA. Ida pro. https://www.hex-rays.com/products/ida/
index.shtml.
[30] N. Seriot. ios-runtime-headers. url = https://github.com/nst/iOS-Runtime-Headers.
(Visited on 10/31/2015).
[31] Paulo de Barros SILVA FILHO. Static analysis of implicit control flow: resolving java reflection and android intents. 2016.
[32] Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. Jekyll on ios:
When benign apps become evil. In Presented as part of the 22nd USENIX Secu-rity Symposium (USENIX SecuSecu-rity 13), pages 559–572, Washington, D.C., 2013.
USENIX.
[33] Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz.
Psios: bring your own privacy & security to ios devices. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 13–24. ACM, 2013.
[34] Tom White. Hadoop: The Definitive Guide, 3rd Edition. O’Reilly Media / Yahoo Press, May 2012.
[35] Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang.
Appintent: Analyzing sensitive data transmission in android for privacy leakage de-tection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & com-munications security, pages 1043–1054. ACM, 2013.
[36] Fang Yu, Yuan-Chieh Lee, Steven Tai, and Wei-Shao Tang. Appbeach: Characteriz-ing app behaviors via static binary analysis. In ProceedCharacteriz-ings of the 2013 IEEE Second International Conference on Mobile Services, page 86. IEEE Computer Society, 2013.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[37] Jing Zhou and Robert J Walker. Api deprecation: a retrospective analysis and detection method for code examples on the web. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 266–277. ACM, 2016.
[38] Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, you, get o↵ of my mar-ket: detecting malicious apps in official and alternative android markets. In NDSS, volume 25, pages 50–52, 2012.