使用字串分析揭露iOS執行檔之動態載入類別 / Uncovering dynamically loaded classes of iOS executables with static string analysis

林君翰, Lin, Jun Han

Unknown Date

當今已有數以百萬計的行動應用程序在 Apple 的 App Store 中發布，並在iOS設備下載量超過150億次。為了保護iOS用戶免於惡意應用程式的傷害，Apple 對於上架之App 有相對嚴格的審查政策。通過審查的App才能在App Store中發布。在本文中，我們提出基於 iOS可執行檔的靜態字串分析技術用於檢驗App可能動態載入之類別 。為了檢查動態載入之類別是否符合Apple之規範，必須要能確定動態加載函數之可能字串參數值 。我們方法的第一步是使用現有工具擷取 iOS可執行檔的組合語言。然後自組合語言中建立整個程式的控制流程圖（CFGs） 。接著，在控制流程圖上識別動態加載類別的函數，並且對於該函數的每個參數，我們構造一個字串相依圖，用以顯示流向字串參數值的所有構成成分以及構成方式 。最後，我們對這些可能流向參數的字串進行字串分析，以確定這些參數值所有的可能值集合。透過把這些可能值與特徵值（從Apple 審查政策建構而來，例如私有/敏感性API），我們能夠檢測到App 潛在違背Apple政策之情形。我們分析了1300多種目前上架於App Store的App，並檢查他們是否違反蘋果關於使用私有API的政策以及 廣告識別碼（IDFA）政策。我們的工具提取了超過37000 這些App的字符相依圖，分析結果顯示208個App透過字串操作構組合出對應的API名稱並且有潛在的IDFA違規濫用之可能。我們的分析還發現了372個可以使用字串構建私有類名稱的應用程序和236個可以使用路徑字符串加載私有框架的App，這些App可能違反Apple 禁止使用私有API使用政策。 / Millions of mobile apps have been published in Apple's AppStore with more than 15 billion downloads by iOS devices. In order to protect iOS users from malicious apps, Apple has strict policies which are used to eliminate apps before they can be published in the AppStore. In this paper we present a string analysis technique for iOS executables for statically checking policies that are related to dynamically loaded classes. In order to check that an app conforms to such a policy, it is necessary to determine the possible string values for the class name parameters of the functions that dynamically load classes. The first step of our approach is to construct the assembly for iOS executables using existing tools. We then extract flow information from the assembly code and construct control flow graphs (CFGs) of functions. We identify functions that dynamically load classes, and for each parameter that corresponds to a dynamically loaded class, we construct a dependency graph that shows the set of values that flow to that parameter. Finally, we conduct string analysis on these dependency graphs to determine all potential string values that these parameters can take, which identifies the set of dynamically loaded classes. Taking the intersection of these values with patterns that characterize Apple's app policies (such as private/sensitive APIs), we are able to detect potential policy violations. We analyzed more than 1300 popular apps from Apple's AppStore and checked them against Apple's policy about the use of private APIs and the identifier for Advertising (IDFA). Our tool extracted more than 37000 string dependency graphs from these applications and our analysis reported 208 apps that compose the corresponding API with strings and have potential IDFA violations. Our analysis also found 372 apps that could have compose the private class name with string and 236 apps that could have load the private framework with path string; and could violate the private API usage policy.

字串分析

行動應用程式

動態載入類別

String analysis

Mobile App

Dynamically loaded classes

行動應用程式的函式行為分析 / Distributed Call Sequence Counting on iOS Executable

戴睿宸, Tai, Ruei Chen

Unknown Date

本研究利用字串分析之方式對行動應用程式之執行檔進行靜態分析，進以偵測行動應用程式之行為。 本研究計算行動應用程式所呼叫特定系統函式之序列，進一步比對特定可疑行為模式並判定行動應用程式是否包含其可疑行為，由於進行此研究需要考慮行動應用程式執行檔中每一個系統函式的呼叫，因此增加了大量的計算複雜度，故需要大量的運算資源來進行，為了提高運算的效率，本研究採用了Hadoop 作為分散式運算的平台來達成可延展的分析系統，進以達成分析大量行動應用程式的目的，透過建立特定的行為模式庫，本研究已分析了上千個現實使用的行動應用程式，並提供其含有潛在可疑行為的分析報告。 / This work presents a syntax analysis on the executable files of iOS apps to characterize and detect suspicious behaviors performed by the apps. The main idea is counting the appearances of call sequences in the apps which are resolved via reassembling the executable binaries. Since counting the call sequences of the app needs to consider different combinations of every function calls in the app, which significantly increases the complexity of the computing, it takes abundant computing power to bring out our analysis on massive apps on the market, to improve the performance and the effectiveness of our analysis, this work adopted a distributed computing algorithm via Hadoop framework achieving a scalable static syntax analysis which is able to process huge amount of modern apps. We learn the malicious behaviors pattern through comparing the pairs of normal and abnormal app which are identical except on certain behaviors we inserted. By matching the patterns with the call sequences we collected from the public apps, we characterized the behaviors of apps and report the suspicious behaviors carried potential security threats in the apps.

呼叫序列

行動應用程式安全

字串分析

分散式運算

call sequence

mobile app security

syntax analysis

distributed computing