We evaluate our system against over 1,500 of popular apps downloaded from Apple app store.
At current phrase, we have examined and analyzed iOS applications along with 9 sensitive behaviors. For each behavior, we implement a pair of normal and abnormal apps that are identical except a needed routine to perform the malicious behavior is inserted.
The patterns that we learned from the differences of their method call counts. FTP indicates building connection with the external machine through ftp. Loc indicates to access your current location, and Loc2 updates GPS location continuously. Screen takes the screen shot of your app. Internet represents the app assess the Internet. HTTP uses the ASIHTTP package. Both build Internet connections. REST indicates app may perform the data transmission by REST-API, TCP indicates app may perform the TCP connections, and FB indicates app may connect to resources on Facebook.
These behaviors are commonly implemented in apps on their own purpose with (or without) user awareness. Our goal is to reveal whether apps have included these behaviors in their executable, but leave users to judge whether apps are malicious.
These methods may be wrapped in various (third-party or user) functions in the source code.
For example, using the ASIHTTPRequest framework to handle network interaction events, developers simply use "startAsychronous"
‧
function and ASIHTTPRequest to deal with URL connection and input stream. Namely, only partial malicious fragments are known prior to analyzing the binaries and creating app pairs to identify fundamental system method calls are therefore needed in these cases.
We have analyzed more than 1,400 of online apps against patterns that we have collected.
The sing C1, C2, C3 indicates the matching result is based on sampling the call sequence in consider single to sequence of three class invocations, and the M1, M2, M3 indicates the sequence for Method call sequences. The subscript f and 0.5 denotes the matching ratio, where f means fully matched (100 percent) and 0.5 for greater than 50 percent matched.
As the analysis result shown, the pattern with sequence is much more specific than only consider single function calls as the pattern, there are lots total matched result for the pattern with single function but sequences, this might give too much false positive match for behaviors.
However, on the other hand, since the patterns are generated by the apps developed by ourselves, the pattern might be over specific due to the coding style of developer, which will affect the contents of complied binary. But we strong believe that apps will have the function call sequences which are very similar with the pattern generated, for 1,400 apps to 9 sensitive behaviors, there are over 12,000 matches with the ratio over 50% for the analysis with sequences, which means the apps are highly like to perform these sensitive behaviors.
‧
Here we present the number of apps reported greater than 50 percent match on three-sequence analysis.
Behavior name App matched Behavior name App matched Access location 10 Connect Internet 396
Access screenshot 2 REST API 4
Connect FTP 18 Uploading
Location 5
Connect HTTP 99
Table 5. Result of match on three-sequence analysis
To verify the accuracy of our analysis, we actually download the apps which are recognized with the behavior “uploading location” on three-sequence match and exam whether such behavior was performed by the apps or not; and we found out an interesting result: there are five apps our system reported with behavior “uploading location”, Christian Radio Locator is an app for finding the Christian Radio around user, Finding Churches is for finding churches around user, My Topo Maps by Trimble Outdoors provides the topo maps around traveler, it is clear these apps upload user location to provide such services, on the other hand, Nightstand Alarm Clock seem to be an alarm clock app but was reported by our system, so we try to verify this result, it turns out this app provide weather report functionalities, and give users the option of uploading current location. The screenshot of this app are as shown below in Figure 14.
The last app we reported with uploading location was PIXNET Web Albums, this app is for uploading pictures within users’ mobile to the web album, we cannot find any functionalities with uploading location by
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
36
using this app normally; since other reported apps actually performed the functionalities of uploading location, it is highly likely the binary of app PIXNET Web Albums somehow performed this functionalities, and this is the case for further inspection such as control flow analysis.
Figure 15. The screenshot of app “ Nightstand Alarm Clock”
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
37
On the other hand, we are not able to confirm the false positive example in our experiment, it was because we can only tell such behaviors was embedded in the app executable but cannot report the situation of activation or execution time of the behavior, these are related to the user input or other parameter, and it takes runtime observation to collect these information, which is more like dynamic approach of app analysis.
As the performance improvement on using Hadoop is as the table shown blow, given the same amount of tasks, adding computing node improve the execution speed of Hadoop system obviously.
Number of
computenode 3 nodes 4 nodes 5 nodes
Total task 8418 8418 8418
Total faliure 0 1 3
Execution time 10 h 4 m 8 h 5 m 4 h 16 m
Table 6. The performance of execution on Hadoop
‧
Our system give the signal of potential sensitive behaviors of mobile apps, but there are lots of function is essential in the practice usage of mobile apps, so we just give the ratio of capacity of apps’ brining out behaviors but saying the apps are malicious or not, we leave the intention of app for users’ judgment.
As the analysis result shows, the pattern with sequence is much more specific than only consider single function calls as the pattern, there are lots total matched result for the pattern with single function but sequences, this might give too much false positive match for behaviors.
However, on the other hand, since the patterns are generated by the apps developed by ourselves, the pattern might be over specific due to the coding style of developer, which will affect the contents of complied binary. But we strong believe that apps will have the function call sequences which are very similar with the pattern generated, for over 1,400 apps to 9 sensitive behaviors, there are over 12,000 matches with the ratio over 50 percent for the analysis with sequences, which means the apps are highly like to perform these sensitive behaviors.
This research proposed a new approach on analyzing mobile apps on iOS, the core analyzing part of our system is not OS-binding, so it can be performed to analyze the mobile apps on the other platform or operating system.
However, the biggest challenge of this work is the precision of the pattern of sensitive function. Since every single difference within the