行動應用程式的函式行為分析 - 政大學術集成

全文

(1)國立政治大學商學院資訊管理學系研究所碩士論文 Graduate Institute of Management Information Systems College of Commerce National Chengchi University. 治. 立. 政 Thesis Master. 大. ‧ 國. 學. 行動應用程式的函式行為分析. ‧. n. al. er. io. sit. y. Nat. Distributed Call Sequence Counting on iOS Executable. Ch. e戴睿宸 ngchi. i n U. v. Ruei-Chen Tai. 指導教授：郁方博士 Adviser: Fang Yu Ph.D. 中華民國 103 年 4 月 April, 2014.

(2) 誌謝能夠順利完完成這本論文，首先要謝謝郁方老師一路上對我的包容和照顧；非常有耐心的一職給予我指導及建議，才讓我得以完成我的碩士學業，在此對老師致上我最深的感謝。在碩士的求學過程中姜國輝老師對我的照顧，在求學上知識. 政治大. 以及資源的提供、在生活上的許多方面都深蒙老師的協助及愛護，在. 立. 此也感謝老師長久以來的支持。. ‧ 國. 學. 芳汶和俊霆，我想沒有你們我是沒有辦法完成我的學業，在生活. ‧. 上以及心靈上給予我的支持，真的感激不盡。. Nat. io. sit. y. 資管系不論是助教或是同學都給了我十分多的幫助，我非常感謝. er. 資管系所給予我的，雨儒以及詩晴在我困難時的協助，我感謝萬分。. al. n. v i n Ch SoSLab 的所有學弟妹，尤其是元傑、維劭、君翰在這一路的研究上 engchi U. 多承你們的幫忙，這個研究才得以完成，ICTLab 的各位，瑞涵、聖尹、育龍、善豪、韋仁，感謝你們在生活上及學業上一路的支持與陪伴。最後要謝謝我的母親，在如此艱難的環境下依然支持我繼續完成我的學業，也感謝上天的護佑以及其他所有人的幫助，讓我們終究能順利地步向人生的下一階段。 i.

(3) Abstract This work presents a syntax analysis on the executable files of iOS apps to characterize and detect suspicious behaviors performed by the apps. The main idea is counting the appearances of call sequences in the apps which are resolved via reassembling the executable binaries. Since counting the call sequences of the app needs to consider different combinations of every function calls in the app, which significantly. 政治大. increases the complexity of the computing, it takes abundant computing. 立. power to bring out our analysis on massive apps on the market, to. ‧ 國. 學. improve the performance and the effectiveness of our analysis, this work adopted a distributed computing algorithm via Hadoop framework. ‧. achieving a scalable static syntax analysis which is able to process huge. sit. y. Nat. amount of modern apps. We learn the malicious behaviors pattern through. er. io. comparing the pairs of normal and abnormal app which are identical. n. a we inserted. By matching except on certain behaviors v the patterns with i l C n h efrom the call sequences we collected i U apps, we characterized n g ctheh public the behaviors of apps and report the suspicious behaviors carried potential security threats in the apps. Keywords: call sequence, mobile app security, syntax analysis, distributed computing.. ii.

(4) 摘要本研究利用字串分析之方式對行動應用程式之執行檔進行靜態分析，進以偵測行動應用程式之行為。本研究計算行動應用程式所呼叫特定系統函式之序列，進一步比對特定可疑行為模式並判定行動應用程式是否包含其可疑行為，由於進行此研究需要考慮行動應用程式執行檔中每一個系統函式的呼叫，因此增加了大量的計. 政治大算複雜度，故需要大量的運算資源來進行，為了提高運算的效率，立. ‧ 國. 學. 本研究採用了 Hadoop 作為分散式運算的平台來達成可延展的分析. ‧. 系統，進以達成分析大量行動應用程式的目的，透過建立特定的行. n. al. er. io. 供其含有潛在可疑行為的分析報告。. sit. y. Nat. 為模式庫，本研究已分析了上千個現實使用的行動應用程式，並提. i n U. C. v. hengchi 關鍵字: 呼叫序列，行動應用程式安全，字串分析，分散式運算. iii.

(5) Contents Abstract ...................................................................................................... i Contents ................................................................................................... iv List of figures .............................................................................................v List of tables............................................................................................. vi 1. Introduction.........................................................................................1 2. Literature review ................................................................................6. 政治大. 2.1.. Malicious behaviors of mobile apps .........................................6. 2.2.. Detecting malicious behaviors within apps ..............................7. 2.3.. Distributed computing ..............................................................9. 立. ‧ 國. 學. 3. Static binary analysis........................................................................ 11. ‧. Extract and decrypt binary......................................................12. 3.2.. Dump assemble file of binary ................................................15. 3.3.. Distributed computation on call sequences ............................17. er. io. sit. y. Nat. 3.1.. n. 4. Malicious behaviora detection ........................................................... 22 v 4.1. 4.2.. i l C n h ................................................................ Malicious behaviors 22 engchi U Characterize Malicious Behaviors on Counting Call Sequences ...............................................................................25. 4.3.. Pattern inclusion .....................................................................27. 5. Implementation .................................................................................29 6. Evaluation ..........................................................................................33 7. Conclusion .........................................................................................38 References ................................................................................................40. iv.

(6) List of figures Figure 01.. Smartphone penetration .....................................................2. Figure 02.. The growth of the Apple App Store ...................................2. Figure 03.. Overview of AppBeach system. ........................................ 11. Figure 04.. An example of binary file of an iOS app. ........................15. Figure 05.. Sample code of dump assembly in IDA pro. ...................16. Figure 06.. A Screenshot of IDA pro. ..................................................16. Figure 07.. A sample of extracted assemble file of iOS app. .............17. Figure 08.. The call sequences of app ..................................................19. Figure 09.. The distributed algorithm for method counting.............21. Figure 10.. A part of the resolved system method calls in the ..........21. Figure 11.. Example of retrieving future events in calendar on iOS 23. Figure 12.. The process of building the malicious pattern library. ..25. Figure 13.. Call sequences of triple class invocation on ....................26. Figure 14.. Different sampling result of the app “Twitter”. .............31. Figure 15.. v l of app “ Nightstand The screenshot n i Alarm Clock”........36. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. a. Ch. engchi U. v.

(7) List of tables Table 1.. The amounts of mobile phones...............................................1. Table 2.. A smple list of sensitive classes and functions on iOS devices. ......................................................................................23. Table 3.. Different pattern for accessing location on sampling ........27. Table 4.. The table of sampling. ...........................................................30. Table 5.. Result of match on three-sequence analysis........................35. Table 6.. The performance of execution on Hadoop ..........................37. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. vi. i n U. v.

(8) 1. Introduction Mobile device market grew in rapid speed in the past few years; as shown in Table 1, more than 6.8 billion mobile phones were sold up to 2013 [21]. Besides that, smart devices (Smartphones, tablets) have become the majority in the market of mobile devices [27, 25, 34, 28, 29]. Smart devices provide variety functionalities through the mobile applications running on them, and bring out the whole new style of. 政治大. mobile device using, people now do lots of thing on their mobile devices,. 立. not just simply making phone calls and send SMS like old days.. China. 2. India. 3. United States. 4. Brazil. 5. Russia. 30. Taiwan. Nat. 1. io. 6.8billion+. 7,012,000,000. 1,227,360,000. 1,349,585,838. 904,510,000. 1,220,800,359. 327,577,529. 317,874,628. Last updated. 97. 2013. 89.2. Dec 2013. 74.09. Mar 2014. 103.1. Apr 2014. 136.45. Mar 2014. 155.5. Jul 2013. 123.33. Sep 2011. 201,032,714 v a l 273,583,000 i n Ch 256,116,000 142,905,200 U i e h n c g 28,610,000 23,197,947. n Table 1.. Percentage of population. y. World. Population. sit. —. Number of mobile phones. er. Country or region. ‧. ‧ 國. 學. Rank. The amounts of mobile phones [21]. Smart devices provide enough computing power and network service with mobility, leading lots of PC users turn to smart devices on some activities they used to do on PCs, such as web browsing and social network accessing [1, 31, 24, 37]. The explosive growth of smart devices and the structural changes on mobile device using stimulated the growth of mobile app market; people download and use apps on their smart 1.

(9) devices for different purposes all the time, under this circumstance; the amount of mobile apps grew with astonished speed, there are already more than one million apps on Apple App Store [5, 20], and the amount of app is still in steady growth [36].. 立. 政治大. ‧. ‧ 國. 學. Nat. n. al. er. io. sit. y. Figure 1. Smartphone penetration [26]. Ch. engchi. i n U. v. Figure 2. The growth of the Apple App Store [36] 2.

(10) As mentioned above, mobile apps provide various functionalities to satisfy users with their needs, some of these functionalities are similar with those provided on PC, such as web browsing, email service; and the other services provide more specific functionalities on mobile devices, for example: navigation. However, just like those security issues raised while enjoying the convenience on using PC programs, there are threats when user using mobile apps. For example, lots of people access social network or use. 政治大 and lots of these services encourage or ask users to create a new account 立 communication apps more on the mobile devices than on their computers,. or use the existing information as the new account, such as account of. ‧ 國. 學. famous domain (Facebook, Google, etc.) or even the cellphone number. ‧. (especially in the cases of communication apps). Moreover, some apps. sit. y. Nat. may ask users to import information such as contacts in order to interact. io. er. with their friends; navigation apps need to know exactly where the users are by assessing their GPS location to provide precise suggestions. Apps. al. n. v i n C h much betterUuser experiences, which is make these requests for providing engchi the positive incentive on users’ information.. To enjoy the functionalities provided by apps, as mentioned before: users have to meet the requirements of apps first; in the case above, users need to provide their personal information to some degree to create an account and grant the requests for apps to access private data on the device. Actions like these raise severe security issues, for instance, apps may be able to access more information or get more permissions than necessary, and apps may misuse the information and the permissions they 3.

(11) obtained, moreover, apps could collect/transmit the data of the devices or the information of the users, and these may open windows for apps with malicious incentives. Situations mentioned above give apps with malicious incentives lot of chances to achieve their objectives, which are basically performed with two phases, the first phase is retrieving private information on the devices; and the second phase is transmitting the information outward the devices for further uses. If the actions apps take in these two phases is without. 政治大 Nonetheless, most of the apps available on the market were not developed 立. user granted, than users will probably not even aware such behaviors.. by the developers in the companies manufactured the mobile devices or. ‧ 國. 學. the companies build the operating systems running on the devices. Most. ‧. of these apps were developed by other companies or independent. sit. y. Nat. developers. Under this circumstance, it is highly likely the malignant. io. into the apps to achieve the specific objectives.. al. er. developers or hackers have their chances to insert the malicious contents. n. v i n C h mobile applications Like all the web applications, have their license engchi U. agreements which are “long, incomprehensible privacy policies that users typically do not read, let alone understand” [38]. Hence, users’ confidence comes from other users and other services from the same companies. On the other hand, even we suppose that users have read the license agreements and fully comprehend the terms, according to end user license agreements (EULA) of the markets, “Information collected by third parties, which may include such things as location data or contact details, is governed by their privacy policies.” [2, 35, 4], which means users have 4.

(12) to visit the application developers’ websites and ensure that their personal information will not be retrieved by others like advertisers. In sum, accepting or declining the license agreements doesn’t guarantee anyone’s information security. To ensure the security level, Apple Inc. adopts the review policy, which is developers of apps must obey the license agreement proposed by Apple, and all of the apps submitted to the Apple App Store will be reviewed by Apple to ensure there is no violation of the license agreement. 政治大 contain malicious behaviors which approved by Apple, famous example 立. [8]. However, this policy is not totally effective, there were still apps. are the applications developed by the developer “Storm8” which. ‧ 國. 學. harvested users phone numbers and other personal information [6].. ‧. Besides that, users of devices which is root exploited (jailbroken) can. sit. y. Nat. download apps form non-official (which means apps are not been. io. er. reviewed) repositories such as the well-known Cydia [10]. The objective of this work is to present an effective static approach. al. n. v i n C happs. And we developed to analyze behaviors of iOS a system, which engchi U. provides an effective tool named AppBeach (abbrv. on App Behavior Architect) for analyzing the app executables with distributed computing algorithm, which detects and reports the potential malicious behaviors of mobile apps.. 5.

(13) 2. Literature review 2.1. Malicious behaviors of mobile apps To fulfill the needs of users, mobile app executes series of functions to perform the requested functionalities; these sets of function calls are the behaviors of the mobile app, which are basically performed to delight users, the intensives the vast majority of app developers have. However, there are times the information misused by the application, or the app. 政治大. itself is made for malicious objectives by hackers or malicious. 立. developers.. ‧ 國. 學. Adrienne Porter Felt et al. [17] conclude the threat types of mobile applications into three categories: Malware, Personal Spyware and. ‧. Grayware. Furthermore they evaluate the security of different mobile app. y. Nat. sit. markets and classified the incentives of malicious apps; they conclude the. a. er. io. incentives as follows: Novelty and Amusement, Selling User Information,. n. i v SMS, SMS Spam, l Premium-Rate Callsnand Stealing User Credentials,. Ch. U i e h n c g Search Engine Optimization and Ransom.. William Enck et al. [16] classified the mobile app malicious behavior in another approach; they divided these behaviors into two categories: information misuse and phone misuse. The first type is information misuse, which means that sensitive information on the devices (including IMEI, the device identifier; IMSI, the subscriber identifier; ICCID, the SIM card serial number; location information and so on.) has been being leaked by transferring information outward the device. The other type is phone misuse, which means the smartphone 6.

(14) interface has been manipulated in wrong way; telephone service (premium rate calls and SMS), and socket API use are included. They also investigated the libraries included by lots of mobile apps and found that the use of phone identifier and location is configurable in these libraries; the analytical report is often configured, and these libraries probe for permission using the way like try/catch blocks.. 2.2. Detecting malicious behaviors within apps. 政治大. With the raise of the security issue of mobile applications, there are. 立. researches proposed different solutions to detect the malicious behavior. ‧ 國. 學. within the mobile apps, and lots of these researches take the approaches used to solve similar problems on web applications. There are two main. ‧. approaches to analyze the behaviors of applications, dynamic approach. Nat. sit. y. and static approach.. er. io. Dynamic approach means performing the analysis through running. n. and manipulating thea lapplication and observing i v its behaviors and. Ch. reactions. William. Enck. n U engchi. developed. TaintDroid. [32],. which. would. automatically label the privacy-sensitive data, applies label along with the propagation of the data through files and variables [13, 15]. Once the data is about to be transmitted via the Internet, TaintDroid keeps a record of the label, responsible application and the destination. This approach seems fine whereas there are limitations [14]. Especially not until the private information was delivered does TaintDroid log the behavior.. 7.

(15) Peter Gilbert et al. [18] detect the behavior of mobile app on Android via dynamic approach by building virtual Android operating system and run the mobile apps on the virtual operating system. They build an input generator to simulate the user keeping giving inputs to the mobile app. And another module to collect the behavior and the data flow of the app. However, the highest code coverage in this work is about 40 percent, which means more than half part of the app was not inspected. The main limitation of implementing dynamic analysis approach is. 政治大 problem including building the environment running the applications and 立. that the analysis relies on the observations of executions of apps, the. the mechanism to achieve the observation. Additionally, for iOS. ‧ 國. 學. application development, applications available on App Store are. ‧. distributed in compiled binaries [33], under this circumstance; the iOS. sit. y. Nat. apps are basically not runnable on virtual environments.. io. er. On the other hand, static approach means analyze the applications without actually executing them, and perform the analysis on the. al. n. v i n C h code of the applications. executable binaries or the source engchi U. Yajin Zhou et al. [39] proposed a scheme called permission-based. behavioral footprinting based on the files such as manifest file of the app, and find the permission the app requests, and they defined the malicious behaviors by collecting the necessary Android permissions requested by the known malwares. They compare the footprint of app to the known malicious ones to determine the app is suspicious or not. This work gives a quick filter to detect malware because it just exam the part of files within the app but exam the app binary itself, which take lots of efforts. 8.

(16) Barbic et al. [9] draw system call dependency graphs that trace program executions, log system calls, and track how parameters propagate, and finally compute graphs. Egele et al. [12] present PiOS, the first static binary analysis tool for detecting privacy leaks in iOS applications. They decrypted binary of iOS applications, built control flow graphs of system calls of the binary, conducted data flow analysis, and detected suspicious flaws for privacy leaks. They evaluated the approach against more than 1,400 iPhone. 政治大. applications. This work briefly shows the feasibility of binary analysis for iOS applications.. 立. Mann et al. adopted static analysis to detect privacy leaks in Android. ‧ 國. 學. applications [23]. They identified private information sources, including. ‧. location, contact, calendar and network communication et al. Their. sit. y. Nat. framework labels the parameters with security levels, and variables. io. er. representing personal data as above would be given higher security levels. The framework also restricts methods to be called with parameters under. n. al. specific levels defined.. Ch. engchi. i n U. v. Analyzing the application through static approach takes a lot of effort, like finding all dependencies within the source code, it needs lot of computing power and time consuming.. 2.3. Distributed computing Analyzing the behaviors of apps through static approach requires abundant computing power. While targeting real applications, the binaries and the corresponding assembly can be huge. In order to improve the 9.

(17) performance of our analysis system, we adopt the distributed computing model. MapReduce was proposed by Dean and Ghemawat of Google Inc. [11]. It is a programming model for processing large data sets, which composed with two parts, the Mapper and the Reducer. The Mapper process the input data to a set of intermediate key/value pairs, and the Reducer part merges all the intermediate pair with the same key. Hadoop is a project of Apache [3], one of the open source tools. 政治大 distributed computing environment on commodity hardware. All users 立. developed on the idea propose by Google, provide a solution of building. need to do is to specify the computation with a Map and a Reduce. ‧ 國. 學. function, and the underlying runtime system would automatically. ‧. parallelize the computation across large-scale clusters of machines,. sit. y. Nat. handle machine failures, and schedule inter-machine communication to. io. n. al. er. make efficient use of the network and disks.. Ch. engchi. 10. i n U. v.

(18) 3. Static binary analysis This research adopted static approach to analyze the binaries of iOS apps, and the binaries of apps represent in digital (0 or 1), which are not comprehensive and difficult to analyze directly. So we took a further step to resolve the binaries into assembly files and perform our analysis on the assembly files of the mobile apps.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 3. Overview of AppBeach system.. The system overview of our system: AppBeach (abbrv. on App Behavior Architect) is as shown above. We first extract the apps from mobile devices, after that we decrypt the encrypted apps from Apple App Store, and use the tool IDA pro [19] to disassemble the app binaries, next we performed the distributed syntax analysis on Hadoop framework, after 11.

(19) obtaining the method calls of apps, we match these function calls, which are also the behaviors of apps, with the patterns of specific behaviors. Last we store these report in our database and make it available for users’ query. These steps will be introduced in the following sections. To analyze the app assembly, there are some pre-processes with challenges need to be done. The first is that the apps available on the Apple App Store are compiled and encrypted, under this condition, we cannot get the complete information we need without decrypting the apps.. 政治大. So the first challenge to overcome is to decrypt the binary of mobile apps.. 立. ‧ 國. 學. 3.1. Extract and decrypt binary. The developers of iOS market need to compile and submit the binary. ‧. (with .app file extensions) to the Apple App Store for publishing, so it is. Nat. sit. y. easier to get the app binary than the source code. To extract binaries of. n. al. er. io. iOS apps, there are some challenges due to the design and policy of iOS and its characteristic.. i n U. C. v. i sets a sandbox policy on Sandbox Policy of iOS. h e Apple n g c hInc. iOS system, which means one app can only access the resources under its own directory. This makes it impossible to access the app binary files by running the app with extracting purpose. Besides that, bunch of important features on iOS were forbidden by Apple, such as SSH. Under this circumstance, we cannot obtain the app binary files by directly accessing the iDevices’ directories. Situations mentioned above make it difficult to access the binary files of mobile applications within the device, theoretically, the binary can 12.

(20) only been accessed by its own execution. The solution we came up was quite straight-forward: we broke the sandbox through jailbreaking the devices, which makes us able to access the resources under any directories, including the apps from Apple App Store and those from Cydia (which are installed under different directories). Encryption of apps from Apple App Store. All applications published through Apple App Store are encrypted and signed by Apple Inc. and only binaries singed by Apple Inc. can be executed on an. 政治大 application binaries stored on the iOS device are also in encrypted form 立. unmodified iOS device (not root exploited, not jailbroken). Furthermore,. and are only decrypted (by the system loader) until execution [12]. In. ‧ 國. 學. other words, the obtained binaries of applications from Apple App Store. ‧. through sandbox breaking are encrypted and thus cannot be analyzed. sit. y. Nat. directly; therefore we need to decrypt the binary of apps form Apple App. io. er. Store. To achieve this, we have to execute the binary, allowing the system loader to perform the decryption, and then dump the section in the main. al. n. v i n memory which contains theCdecrypted of the binary. The steps in the h e n g cpart hi U decryption process are as follows:. 1. Find the program entry point and the encryption information within the binary. 2. Execute the binary in a debugger and dump the decrypted part. 3. Patch the original binary with the decrypted part. In step one, we need to find the program entry point and encryption information from the metadata of the binary (which is in Mach-O format) with iOS SDK. The entry point of program can be found by using the 13.

(21) shell tool “nm”. The encryption information can be found by looking up LC_SIGNATURE_INFO in the metadata with the shell tool “otool”. If the cryptid field in LC_SIGNATURE_INFO with the value “1”, the binary was decrypted; and the cryptoffset field indicates the size of the encrypted part in the binary, these fields and values are need in the later steps. In step two, the binary is executed in a debugger (gdb) on a jailbroken iOS device with breakpoint set at the program entry point we. 政治大 decrypted part from the main memory (with the encryption information 立 found in step one. Once the breakpoint is triggered, we can then dump the. from step 1).. ‧ 國. 學. In step three, we need a copy of the original binary and the. ‧. decrypted part from step two. We first set the cryptid field of the original. sit. y. Nat. binary to 0 and then replace the encrypted part with the decrypted part we. io. er. dumped in step two.. After performing these steps, we should have a decrypted binary.. n. al. Ch. engchi. 14. i n U. v.

(22) 政治大 An example of binary file of an iOS app. 立. 3.2. Dump assemble file of binary. 學. ‧ 國. Figure 4.. ‧. After the process above, we got the decrypted binary. The next step. Nat. sit. y. we need to get the assembly file of iOS mobile app. The binary of iOS. er. io. app is written in Objective-C [30, 22, 7], the programming language. n. a l and the app is compiled for developed by NeXT Inc., i v ARM processer. We. n U use the tool IDA pro to achieveethis n gprocess; c h i IDA pro is a disassembler. Ch. could be controlled by script. We run a script to dump the whole assembly of the mobile app resolved by IDA pro after we assign the corresponding CPU type and the binary type of the app. The example of the script and the content of the assembly file are as shown below:. 15.

(23) 政治大. 立. ‧ 國. 學 ‧. Figure 5. Sample code of dump assembly in IDA pro.. n. er. io. sit. y. Nat. al. Ch. Figure 6.. engchi. i n U. v. A Screenshot of IDA pro. 16.

(24) 立. 政治大. ‧. ‧ 國. 學. Figure 7.. A sample of extracted assemble file of iOS app.. sit. y. Nat. er. io. 3.3. Distributed computation on call sequences. n. a. v. i amount of mobile As mentioned in thel introduction, there arenhuge C. hengchi U. apps available on the official market or non-official market, over one million apps are available for download on the Apple App Store, and lot of apps release new version very frequently, under this circumstance, there are always abundant of mobile app need to be analyzed. This research adopted the static approach to analyze the behaviors of mobile apps, preventing the suspension of malicious actions by purpose or the behaviors triggered by hackers form backdoor on random time; because by analyzing the binary, as long as the performable malicious behaviors exist, the corresponding section of binary should be in the 17.

(25) executable, and static analysis exam the whole assemble file of mobile app, which solve the code coverage issue with dynamic approach. Since the sensitive behaviors in apps was been perform by executing a set of system function calls, and these function calls must be invoke in the right order to bring out the behaviors correctly, for instance, to upload user’s GPS location, apps must access the GPS locations before sending the GPS locations outward the devices, in other words, if the apps send GPS location before they obtain them, the information send will be null. 政治大 aspect of system calls, the behaviors we actually care about are the 立. or invalid value and the apps are fail to bring out the behavior. So in the. function calls invoked in the right sequence.. ‧ 國. 學. This work characterized mobile application behaviors by counting. ‧. the function call sequence of apps, in the practice on sequence of two. sit. y. Nat. functions, for every function call we found in the app executable, we find. io. of functions call sequence with two functions.. n. al. Ch. engchi. er. the next function call after it, and record these two function calls as a set. i n U. v. Since we take the assemble file of app as the input for our analysis, and these files are big text files, and the static approach scans the whole scope of the app assemble file, this makes our analysis very time consuming, under this circumstance, we need to come up with a solution to process the analysis efficiently. To efficiently bring out the analysis, this research use distributed algorithm and solve the problem on the abundant computing power requirement for performing static analysis on lots of applications. The 18.

(26) main idea of our analysis is calculating the method calls within the target mobile app. The analysis is implemented with Hadoop MapReduce [3], we specified the Mapper and the Reducer classed fitting the format of the assemble file we extracted and generating the collection of method calls of the app.. 立. 政治大. ‧. ‧ 國. 學 er. io. sit. y. Nat. n. a. v. i app Figure l8.C The call sequencesnof. hengchi U. We characterized mobile application behaviors by call sequences that are embedded in their executable. To effectively analyze abundant apps , we performed our analysis with distributed algorithm on Hadoop framework, first we sliced the app assemble file in pieces by routines, and the we feed these slices to the mapper we setup on the Hadoop environment separately, as shown in Figure 8: these mappers first read and tokenize every single line of the assemble file slice, then locate every call invocation within every assemble command we resolved before, next 19.

(27) the mapper combine these calls in sequence of the number we set, e.g., in pair or in triple, and send it to the Reducer we defined while done processing the whole slice, then the Reducer generated the total call sequences of every app by concluding the collection of every slice. After obtaining the call sequences of app, we can characterize the behavior of mobile apps by analyzing the content in the call sequences, as the example given in Figure 8 shows the call sequence of achieving access events, including accessing the date (in NSDate class), calendar (in. 政治大. NSCalendar class) and event (in EKevent class).. 立. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 20. i n U. v.

(28) 立. 政治大. ‧. ‧ 國. 學 er. io. sit. y. Nat. n. Figure 9. The adistributed algorithm for method counting.. iv l C n hengchi U. Figure 10. A part of the resolved system method calls in the app TWRailway. 21.

(29) 4. Malicious behavior detection After generating the method call collections of mobile apps, we start to exam the collection and determine the existence of malicious behaviors. In the following paragraph, we defined our categories of sensitive functions and give some comprehensive example, then we generate our malicious patterns through building the pairs of a malicious app and a benign app in the way where the only difference between them is only. 政治大. one specific inserted malicious behavior, which was composed by the. 立. sensitive functions we interested. By analyzing these self-developed pairs. ‧ 國. 學. of apps with proposed syntax analysis and comparing the difference in the result, we proposed and build the malignant patterns. We collect many. ‧. of them as the pattern library for the malicious apps detection.. n. er. io. a. sit. y. Nat. 4.1. Malicious behaviors. v. l C 2, there are many As mentioned in chapter n i types of malicious. hengchi U. behaviors; after looking into the functions composing the malicious behaviors, we classified them into the major categories: the first one is retrieving sensitive information, including the user information (e.g. Address book, Calendar) and device information (e.g. GPS Location, UDID), the other one is conveying information outward the mobile devices (e.g. transmit data via HTTP or FTP). For each purpose there are specific functions to fulfill, and we use the functions from built-in frameworks or famous public package to be our sampling bases, and our malicious (suspicious) pattern will be 22.

(30) composed by these specific functions (this will be covered in following sections), Table 2 shown below are some (NOT all) samples of malicious behaviors about accessing private information on the mobile devices; and their corresponding function calls.. 立. ‧ 國. 學. Table 2.. 政治大. A smple list of sensitive classes and functions on iOS devices.. ‧. For better comprehensive, here we give one example of malicious. n. al. er. io. sit. y. Nat. behavior of retrieving calendar schedule.. Ch. engchi. i n U. v. Figure 11. Example of retrieving future events in calendar on iOS. This segment in objective-C demonstrates a way to retrieve future events in user’s calendar. At first, we will get a copy of device built-in calendar through “defaultCalendarForNewEvents” in line 2. By 23.

(31) specifying a time interval in line 3 and 4, we could filter all future events in the format of a predicate in line 7. The other malignant category is conveying the private information outward the mobile device via network. The formal way of connecting to the internet is using the class “NSURLConnection”, it offers functions that send synchronous requests to specific URL we assigned. In addition, there are many open source projects developed by third-parties available on the internet. They wrapped around the low-level C language APIs in. 政治大. built-in frameworks and made some other aspect of communicating with web servers easier.. 立. A nice example for external framework is “ASIHTTPRequest”. It. ‧ 國. 學. handles the basics of the communication with the servers, including. ‧. downloading and uploading data, authentication, cookies and progress. sit. y. Nat. tracking. To ensure the communications between servers, it defines class. io. er. “Reachability” to detect the status of network availability in one application. Besides, it also provides data compressor and decompressor. al. n. v i n C will for transferring data, which be certainlyUuseful while dealing with hen gchi large data sets.. Another example is “WhiteRaccoon”, an FTP client side for iOS, based on “CFNetwork” framework in built-in library, functionalities of file downloading, uploading and deleting, and directories management are all included. It provides two ways to interact with FTP server: either a single request or a queue of several requests.. 24.

(32) 4.2. Characterize Malicious Behaviors on Counting Call Sequences To characterize the malicious behaviors into patterns, for each behavior we build applications that developed in pairs; each pair is consisted of one normal app and one abnormal (malicious) counterpart. We embedded one of certain malicious behaviors mentioned in the prior paragraph into the abnormal app, and leave the normal app identical to the abnormal one except the embedded malicious behavior.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 12. The process of building the malicious pattern library.. After compiling the source codes of these paired applications, we apply the presented binary analysis on their executables and characterize the difference as the malicious signature for the embedded behavior. We 25.

(33) build a pattern library with the collections of these malicious signatures and use them later to detect whether the target app includes the malicious behaviors. The process of building malicious pattern is as shown below in figure 10, and the sample of call sequences pattern to accessing event on triple function calls.. 政治大. Figure 13. Call sequences of triple class invocation on event accessing.. 立. ‧ 國. 學. Since we use the call sequences analysis we proposed to generate the. ‧. pattern of sensitive behaviors, under different given sampling condition,. sit. y. Nat. we generated different pattern for same behaviors, for example, we. io. er. conclude the call sequence for both of class invocation and method invocations, this will generate different patterns, on the other hand, the. n. al. C h also brings length of sampling sequence. engchi. iv n out U different. patterns. The. example shown in Table 3 gives the different pattern for the same behavior on accessing location.. 26.

(34) Table 3.. 政治大. Different pattern for accessing location on sampling variation(both considered the invocation on methods but classes). 立. ‧ 國. 學. After finishing all the pre-work need to be done, we analyzed the. ‧. mobile apps on unified market by generating their method call collection. sit. y. Nat. and comparing it with the malicious patterns in our pattern library. If the. n. a behavior. able to execute the malicious. er. io. app include the malicious behavior we recognized, the target app may be. iv l C n hengchi U. 4.3. Pattern inclusion To determine the existence of any malicious behavior in apps, we compared the assemblies with malicious patterns and calculate the coverage of malicious behavior, for every call sequence in the malicious pattern, we find the same sequence in the app and compute the coverage ratio, which represent the capability of app performing such behavior. Let p.s (p.c) denote the sequence (count) of a pair p. Let PA and Pm be two sets of pairs. The coverage ratio is defined as below: 27.

(35) 𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝑅𝑅𝑅𝑅𝑅 R. 𝑝′ . 𝑐 ≤ 1, 𝑒𝑒𝑒𝑒 𝑅𝑝 = 0 ∀ 𝑝 ∈ 𝑃𝑚 , 𝑖𝑖 𝑒𝑒𝑒𝑒𝑒𝑒 𝑝 ∈ 𝑃𝐴 , 𝑅𝑝 = 𝑝. 𝑐 ′. 𝑛. 1 𝑅 = � 𝑅𝑝𝑖 𝑛 𝑖=1. For every sequence within the pattern collection, if it was been called in the app we inspect, we divide the count number of this method. 政治大 pattern collection, if it was not been called, we set the value as zero, then 立. in the app behavior collection to the count for the same method in the. we calculate the average ratio to every sequence, after this we will obtain. ‧ 國. 學. a value from 0 to 1 presenting how much likely the app performing the. ‧. specific behavior, where 0 denotes the app shows no sign of performing. sit. y. Nat. the matching behavior in our examination and 1denotes the app have full. io. n. al. er. capacity to bring out the sensitive behavior we care about.. Ch. engchi. 28. i n U. v.

(36) 5. Implementation In the following section we will cover the detail architecture of our analysis system AppBeach, including the distributed algorithm on Hadoop environment and the malicious behavior detector. We implement our distributed analysis on the framework of Hadoop MapReduce; the Hadoop environment of this work is consisted of one Namenode and five Datanodes: Namenode is the instance responsible to. 政治大. control the distributed computing jobs on the Hadoop environment, which. 立. is not used either in distributed file system and MapReduce computing in. ‧ 國. 學. our build. And the Datanodes are the instances actually run the distributed computing jobs on the Hadoop Distributed File System (HDFS). ‧. composed by these instances. All the instances, including Namenode and. sit. y. Nat. Datanodes are the virtual machines on VMWare hypervisor ESXi, each. er. io. virtual machine is with 4 core CPU and 4GB RAM and 20GB HDD.. n. a resolved assembly file of vapps, we put all these After obtaining the. i l C n U input of the distributed files on the HDFS, and feedhthese e n gfiles c hasi the syntax analysis. Every function call in the app indicates its class name and method name, in our analysis we collect them separately to detect more behaviors within the apps. Furthermore, we consider the correlation between method sets or class sets, therefore, for both for class name and method name, we record the pairs of invocations consisted by every invocation and the invocation right after it, and collect the triple combination with the same logic, and we define these records as different sampling results. 29.

(37) After finishing the sampling steps, now we got six sampling result as the table below.. Combination 1-sequence. 2-sequence. 3-sequence. Class. C1. C2. C3. Method. M1. M2. M3. Target. Table 4.. The table of sampling.. 政治大. Defining the sampling type help us to recognize the better sampling. 立. type on some specific behavior, for instance, sampling with method is. ‧ 國. 學. more efficient than sampling with class on the behavior of access. ‧. io. sit. y. Nat. n. al. er. location.. Ch. engchi. 30. i n U. v.

(38) Result of C1. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi U. v ni. Result of C2. Result of C3. Figure 14. Different sampling result of the app “Twitter”. 31.

(39) In our system, we develop 18 apps for 9 specific target behaviors, and use these self-develop apps in pairs to generate the pattern for each behavior. Since the patterns in our system are processed by the binary analysis to generate the behavior collection, we need to generate different collection for different sampling type. For every behavior in our library, we build the corresponding pattern for each sampling we take, for instance, in our system we use six different sampling types and focus on thirteen different behaviors of app, therefore, we generate 6 patterns for. 政治大 As for the target apps we want to analysis, as the same as the 立. every single behavior and will total give 54 (6 x 9) patterns in sum.. approach with generating patterns, we need to generate the behavior. ‧ 國. 學. collections of every sampling type for each of them. We will generate. ‧. more than 8400 behavior collections for about 1400 apps with 6 sampling. sit. y. Nat. types. In the implementation, we store the behavior collections in key. io. er. value pairs consist of the class or method names and their count for every app, then compare these behavior collection with the pattern collection. n. al. we prepared from the. v i n C h library to determine pattern engchi U. the apps are with. suspicious behavior or not.. Considering the over specific problem on saying an app was matched to the sensitive behavior pattern if and only if all the methods in the pattern were found in the behavior collection of the app, and all the count numbers for these methods are larger than the ones in the pattern collection. We take another approach to evaluate how likely the apps perform the sensitive behavior we care by calculate the ratio of coverage of the sensitive behavior pattern. 32.

(40) 6. Evaluation We evaluate our system against over 1,500 of popular apps downloaded from Apple app store. At current phrase, we have examined and analyzed iOS applications along with 9 sensitive behaviors. For each behavior, we implement a pair of normal and abnormal apps that are identical except a needed routine to perform the malicious behavior is inserted.. 政治大. The patterns that we learned from the differences of their method. 立. call counts. FTP indicates building connection with the external machine. ‧ 國. 學. through ftp. Loc indicates to access your current location, and Loc2 updates GPS location continuously. Screen takes the screen shot of your. ‧. app. Internet represents the app assess the Internet. HTTP uses the. sit. y. Nat. ASIHTTP package. Both build Internet connections. REST indicates app. er. io. may perform the data transmission by REST-API, TCP indicates app may. n. a perform the TCP connections, and FB indicates vapp may connect to resources on Facebook.. i l C n hengchi U. These behaviors are commonly implemented in apps on their own purpose with (or without) user awareness. Our goal is to reveal whether apps have included these behaviors in their executable, but leave users to judge whether apps are malicious. These methods may be wrapped in various (third-party or user) functions in the source code. For example, using the ASIHTTPRequest framework to handle network interaction events, developers simply use "startAsychronous" 33.

(41) function and ASIHTTPRequest to deal with URL connection and input stream. Namely, only partial malicious fragments are known prior to analyzing the binaries and creating app pairs to identify fundamental system method calls are therefore needed in these cases. We have analyzed more than 1,400 of online apps against patterns that we have collected. The sing C1, C2, C3 indicates the matching result is based on sampling the call sequence in consider single to sequence of three class. 政治大 sequences. The subscript f and 0.5 denotes the matching ratio, where f 立 invocations, and the M1, M2, M3 indicates the sequence for Method call. means fully matched (100 percent) and 0.5 for greater than 50 percent. ‧ 國. 學. matched.. ‧. As the analysis result shown, the pattern with sequence is much. sit. y. Nat. more specific than only consider single function calls as the pattern, there. io. er. are lots total matched result for the pattern with single function but sequences, this might give too much false positive match for behaviors.. al. n. v i n However, on the otherChand, the patterns are generated by the U h e nsince i h gc. apps developed by ourselves, the pattern might be over specific due to the coding style of developer, which will affect the contents of complied. binary. But we strong believe that apps will have the function call sequences which are very similar with the pattern generated, for 1,400 apps to 9 sensitive behaviors, there are over 12,000 matches with the ratio over 50% for the analysis with sequences, which means the apps are highly like to perform these sensitive behaviors.. 34.

(42) Here we present the number of apps reported greater than 50 percent match on three-sequence analysis. Behavior name. App matched. Behavior name. App matched. Access location. 10. Connect Internet. 396. Access screenshot. 2. 4. Connect FTP. 18. REST API Uploading Location. Connect HTTP Table 5.. 5. 99 Result of match on three-sequence analysis. To verify the accuracy of our analysis, we actually download the. 治政 apps which are recognized with the behavior大 “uploading location” on 立 three-sequence match and exam whether such behavior was performed by ‧ 國. 學. the apps or not; and we found out an interesting result: there are five apps. ‧. our system reported with behavior “uploading location”, Christian Radio Locator is an app for finding the Christian Radio around user, Finding. y. Nat. er. io. sit. Churches is for finding churches around user, My Topo Maps by Trimble Outdoors provides the topo maps around traveler, it is clear these apps. n. a. iv. upload user location tol C provide such services, n on the other hand,. hengchi U. Nightstand Alarm Clock seem to be an alarm clock app but was reported by our system, so we try to verify this result, it turns out this app provide weather report functionalities, and give users the option of uploading current location. The screenshot of this app are as shown below in Figure 14. The last app we reported with uploading location was PIXNET Web Albums, this app is for uploading pictures within users’ mobile to the web album, we cannot find any functionalities with uploading location by 35.

(43) using this app normally; since other reported apps actually performed the functionalities of uploading location, it is highly likely the binary of app PIXNET Web Albums somehow performed this functionalities, and this is the case for further inspection such as control flow analysis.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 15. The screenshot of app “ Nightstand Alarm Clock”. 36.

(44) On the other hand, we are not able to confirm the false positive example in our experiment, it was because we can only tell such behaviors was embedded in the app executable but cannot report the situation of activation or execution time of the behavior, these are related to the user input or other parameter, and it takes runtime observation to collect these information, which is more like dynamic approach of app analysis. As the performance improvement on using Hadoop is as the table. 政治大 improve the execution speed of Hadoop system obviously. 立 Total task. 8418. 8418. Total faliure. 0. 1. Execution time. 10 h 4 m. 8h5m. y. 4 nodes. ‧. 3 nodes. Nat. Number of computenode. 學. ‧ 國. shown blow, given the same amount of tasks, adding computing node. 5 nodes 8418 3 4 h 16 m. n. al. er. io. sit. Table 6. The performance of execution on Hadoop. Ch. engchi. 37. i n U. v.

(45) 7. Conclusion Our system give the signal of potential sensitive behaviors of mobile apps, but there are lots of function is essential in the practice usage of mobile apps, so we just give the ratio of capacity of apps’ brining out behaviors but saying the apps are malicious or not, we leave the intention of app for users’ judgment. As the analysis result shows, the pattern with sequence is much more. 政治大. specific than only consider single function calls as the pattern, there are. 立. lots total matched result for the pattern with single function but sequences,. ‧ 國. 學. this might give too much false positive match for behaviors. However, on the other hand, since the patterns are generated by the. ‧. apps developed by ourselves, the pattern might be over specific due to the. sit. y. Nat. coding style of developer, which will affect the contents of complied. er. io. binary. But we strong believe that apps will have the function call. n. a similar with the patternv generated, for over sequences which are very. i l C n h e n gthere 1,400 apps to 9 sensitive behaviors, i Uover 12,000 matches with c h are the ratio over 50 percent for the analysis with sequences, which means the apps are highly like to perform these sensitive behaviors. This research proposed a new approach on analyzing mobile apps on iOS, the core analyzing part of our system is not OS-binding, so it can be performed to analyze the mobile apps on the other platform or operating system. However, the biggest challenge of this work is the precision of the pattern of sensitive function. Since every single difference within the 38.

(46) source code will affect the content of the compiled binary, it will affect the generated pattern we used to recognize the behavior, so the architecture of building the behavior pattern is worth to study in the future works.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 39. i n U. v.

(47) References [1]. 55% of Social Networking Consumption Occurs on A Mobile Device. (2013, February 27). MarketingCharts. Retrieved March 6, 2014, from http://www.marketingcharts.com/wp/interactive/55-of-social-networki ng-consumption-occurs-on-a-mobile-device-27327/.. [2]. Android Market Terms of Service. (2012, February 16). Android Market Terms of Service. Retrieved March 6, 2014, from. 政治大. http://www.google.com/mobile/android/market-tos.html. [3]. 立. Apache Hadoop. (n.d.). Apache Hadoop. Retrieved March 6, 2014,. ‧ 國. [4]. 學. from http://hadoop.apache.org/. Apple - Apple Customer Privacy Policy. (2013, August 1). Apple -. ‧. Apple Customer Privacy Policy. Retrieved March 6, 2014, from. y. sit. n. al. er. Apple App Store. (2013, October 22). Wikipedia. Retrieved March 6,. io. [5]. Nat. http://www.apple.com/privacy/. 2014,. i n U. C. v. from. hengchi http://en.wikipedia.org/wiki/App_Store_(iOS)#cite_note-ios7-1. [6]. Apple Approves, Pulls Flashlight App with Hidden Tethering Mode. (2010,. July. 21).. Wired.. Retrieved. March. 7,. 2014,. from. http://www.wired.com/gadgetlab/2010/07/apple-approves-pulls-flashli ght%2dapp-with-hidden-tethering-mode/. [7]. Apple Developer. (n.d.). Xcode. Retrieved March 6, 2014, from http://developer.apple.com/xcode.. [8]. Apple Store. (2010, March 1). Apple Store. Retrieved March 6, 2014, from http://store.apple.com/Catalog/US/Images/ADC_terms.html 40.

(48) [9]. Babić, D., Reynaud, D., & Song, D. (2011, January). Malware analysis with tree automata inference. In Computer Aided Verification (pp. 116-131). Springer Berlin Heidelberg.. [10]. Cydia.. (n.d.).. Cydia.. Retrieved. March. 6,. 2014,. from. http://cydia.saurik.com/. [11]. Dean, J., & Ghemawat, S. (2008). MapReduce: simplified data processing on large clusters. Communications of the ACM, 51(1), 107-113.. 政治大 Detecting Privacy Leaks in iOS Applications. In NDSS. 立. [12]. Egele, M., Kruegel, C., Kirda, E., & Vigna, G. (2011, February). PiOS:. [13]. Enck, W. H. (2011). Analysis techniques for mobile operating system. ‧ 國. 學. security (Doctoral dissertation, The Pennsylvania State University). Enck, W. (2011). Defending users against smartphone apps:. ‧. [14]. io. Enck, W., Gilbert, P., Chun, B. G., Cox, L. P., Jung, J., McDaniel, P., &. al. v i n C hTaintDroid: An U Sheth, A. (2010, October). Information-Flow Tracking engchi n. [15]. er. 49-70). Springer Berlin Heidelberg.. sit. y. Nat. Techniques and future directions. In Information Systems Security (pp.. System for Realtime Privacy Monitoring on Smartphones. In OSDI (Vol. 10, pp. 1-6). [16]. Enck, W., Octeau, D., McDaniel, P., & Chaudhuri, S. (2011, August). A Study of Android Application Security. In USENIX Security Symposium.. [17]. Felt, A. P., Finifter, M., Chin, E., Hanna, S., & Wagner, D. (2011, October). A survey of mobile malware in the wild. In Proceedings of. 41.

(49) the 1st ACM workshop on Security and privacy in smartphones and mobile devices (pp. 3-14). ACM. [18]. Gilbert, P., Chun, B. G., Cox, L. P., & Jung, J. (2011, June). Vision: automated security validation of mobile apps at app markets. In Proceedings of the second international workshop on Mobile cloud computing and services (pp. 21-26). ACM.. [19]. IDA.. (n.d.).. IDA.. Retrieved. March. 6,. 2014,. from. https://www.hex-rays.com/products/ida/support/tutorials/index.shtml. [20]. 政治大 Forbes. Retrieved March 立. Jones, C. (2013, December 11). Apple's App Store About To Hit 1 Million. Apps.. 6,. 2014,. from. 學. ‧ 國. http://www.forbes.com/sites/chuckjones/2013/12/11/apples-app-store-a bout-to-hit-1-million-apps/.. List of countries by number of mobile phones in use. (2014, May 3). Retrieved. March. 6,. 2014,. from. sit. y. Nat. Wikipedia.. ‧. [21]. io. [22]. Mac Developer Retrieved. al. v i n Library.C(2013, 25). Mac U h e n gApril i h c n. _phones_in_use. er. http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile. March. 6,. Developer Library.. 2014,. from. http://developer.apple.com/library/mac/#documentation/Cocoa/Concep tual/ProgrammingWithObjectiveC/Introduction/Introduction.html. [23]. Mann, C., & Starostin, A. (2012, March). A framework for static detection of privacy leaks in android applications. In Proceedings of the 27th Annual ACM Symposium on Applied Computing (pp. 1457-1462). ACM.. 42.

(50) [24]. Media Consumption Estimates: Mobile > PC; Digital > TV. (2013, August 5). MarketingCharts. Retrieved March 6, 2014, from http://www.marketingcharts.com/wp/television/media-consumption-est imates-mobile-pc-digital-tv-35626/. [25]. More Smartphones Were Shipped in Q1 2013 Than Feature Phones, An Industry First According to IDC - prUS24085413. (2013, April 25). More Smartphones Were Shipped in Q1 2013 Than Feature Phones, An Industry First According to IDC - prUS24085413. Retrieved March 6,. 政治大 http://www.idc.com/getdoc.jsp?containerId=prUS24085413. 立 2014,. NEWSBYTES.PH | Philippine smartphone adoption rate at 15%. (2013,. 學. ‧ 國. [26]. from. September 18). Infotek News InterAksyoncom. Retrieved March 6, from. ‧. 2014,. sit. y. Nat. http://www.interaksyon.com/infotech/newsbytes-ph-philippine-smartp. io. Newsroom. (2013, August 14). Gartner Says Smartphone Sales Grew. al. v i n 46.5 Percent in Second C Quarter and Exceeded Feature Phone U h e nofg2013 i h c n. [27]. er. hone-adoption-rate-at-15.. Sales. for. First. Time.. Retrieved. March. 6,. 2014,. from. http://www.gartner.com/newsroom/id/2573415. [28]. Newswire . (2013, December 16). Consumer Electronics Ownership Blasts. Off. in. 201.. Retrieved. March. 6,. 2014,. from. http://www.nielsen.com/us/en/newswire/2013/consumer-electronics-o wnership-blasts-off-in-2013.html. [29]. Newswire . (2013, June 6). Mobile Majority: U.S. Smartphone Ownership. Tops. 60%.. Retrieved 43. March. 6,. 2014,. from.

(51) http://www.nielsen.com/us/en/newswire/2013/mobile-majority--u-s--s martphone-ownership-tops-60-.html. [30]. Objective-C. (2014, May 3). Wikipedia. Retrieved March 6, 2014, from https://en.wikipedia.org/wiki/Objective-C.. [31]. PC Users Increasingly Turning to Smart Devices for Web Browsing, Facebook Access. (2013, February 11). MarketingCharts. Retrieved March. 6,. 2014,. from. http://www.marketingcharts.com/wp/interactive/pc-users-increasingly-t. 政治大 Monitoring on Smartphones. 立. urning-to-smart-devices-for-web-browsing-facebook-access-26881/. [32]. Realtime Privacy. (n.d.). TaintDroid:.. Retrieved March 6, 2014, from http://appanalysis.org/. ‧ 國. 學. [33]. Szydlowski, M., Egele, M., Kruegel, C., & Vigna, G. (2012).. ‧. Challenges for dynamic analysis of iOS applications. In Open. y. sit. Tablet Shipments Forecast to Top Total PC Shipments in the Fourth. io. er. [34]. Nat. Problems in Network Security (pp. 65-77). Springer Berlin Heidelberg.. Quarter of 2013 and Annually by 2015, According to IDC -. al. n. v i n Ch prUS24314413. (2013, September 11). Tablet Shipments engchi U. Forecast to. Top Total PC Shipments in the Fourth Quarter of 2013 and Annually by 2015, According to IDC - prUS24314413. Retrieved March 6, 2014, from http://www.idc.com/getdoc.jsp?containerId=prUS24314413. [35]. TERMS AND CONDITIONS. (2011, October 12). iTUNES STORE -. Retrieved. March. 6,. 2014,. from. http://www.apple.com/legal/itunes/us/terms.html#APPS. [36]. The Four-Year Anniversary of the Apple App Store. (2013, April 17). DISTIMO.. Retrieved. March 44. 7,. 2014,. from.

(52) http://www.distimo.com/publications/archive/Distimo%20Publication %20-%20July%202012.pdf. [37]. The NPD Group. (2013, February 7). 37 Percent of PC Users Migrate Activities to Mobile Devices. Retrieved March 6, 2014, from https://www.npd.com/wps/portal/npd/us/news/press-releases/37-percen t-of-pc-users-migrate-activities-to-mobile-devices-according-to-the-np d-group/.. [38]. Wetherall, D., Choffnes, D., Greenstein, B., Han, S., Hornyack, P.,. 政治大 mobile apps. In Proceedings of the 13th USENIX conference on Hot 立. Jung, J., ... & Wang, X. (2011, May). Privacy revelations for web and. topics in operating systems (pp. 21-21). USENIX Association.. ‧ 國. 學. Zhou, Y., Wang, Z., Zhou, W., & Jiang, X. (2012, February). Hey, you,. ‧. get off of my market: Detecting malicious apps in official and. sit. y. Nat. alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (pp. 5-8).. io. n. al. er. [39]. Ch. engchi. 45. i n U. v.

(53)