Keynote Speech Topic: Mobile Platform and Application Security presented at ICINS 2014

by Jianying Zhou,

Summary : Smartphones become more and more popular. Android and iOS are two dominant mobile operating systems on the market. An interesting question is which one is more secure. We made a comparison by investigating applications that run on both Android and iOS and examining the difference in the usage of their security sensitive APIs (SS-APIs). We developed static analysis tools to perform massive static analysis for cross-platform applications on their SS-API usage. Our analysis showed that applications on iOS tend to use more SS-APIs compared to their counterparts on Android, and are more likely to access sensitive resources that may cause privacy breaches or security risks without being noticed.
We also proposed a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices, and constructed multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user's awareness. Our applications embedded with the attack codes passed Apple's vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple's vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. Our work helped Apple to fix the vulnerabilities when iOS 7 was released.