Nowadays, iOS Apps are collecting massive device information. The whole procedure of collecting/manipulating/storing/transferring these sensitive data in App is strongly related to regulation problems on users’ privacy. As a result, it is necessary to understand the flow of sensitive data’s transfer in Apps. For this purpose, automatic data flow analysis is able to identify potential sensitive data leakage.

Meanwhile, iOS Apps expose lots of interfaces through e.g. URL schema, Webview, Universal Links, Sockets, etc, to interact with users and other Apps. Upon accepting external parameters through these interfaces, it is important for Apps to perform security validation on the parameters to prevent potential hazards caused by inadequate checks like SQL injection and command injection. Automatic data flow analysis is able to track the processing of parameters and check the existence of examination or filtering on the parameters, which in advance helps reduce the security risks in the exposed external interfaces.

But, for iOS Apps, it is highly lack of automatic data flow analysis tools in both academic research and industrial engineering. As a result, it is urgent to propose and develop a suitable tool to perform data flow analysis on iOS Apps, for solving the privacy and security problems.

This project focuses on taint tracking, a particular kind of data flow analysis technique, on iOS App binaries.

Taint tracking is an information flow analysis technique in which analysts set two kinds of program execution points, namely source and sink, and propagation policy for data transfer. Taint tracking is able to identify data generated from the source points, follow the propagation of the data, and check the existence of tracked data in the sink points.

With taint tracking, we are able to analyze data transfer in iOS Apps to identify privacy or security problems. For example, in privacy analysis, we can set the invocation of APIs that collect sensitive data as sources, and the invocation of APIs that send network packages as sinks. With such sources and sinks, we can check potential sensitive information leakage. On the other hand, in security analysis, we can set the entrance of external interfaces as sources, and SQL/command execution as sinks. Then, we can check whether the App may directly use external inputs in high-risk SQL/command execution without proper sanitizing.

For developing taint tracking for iOS Apps, the most difficult problem that needs to be handled is the special semantics of Objective-C and Swift, the languages that iOS Apps are programmed in. In particular, the special semantics would cause obstacles as follows,

1.    Objective-C and Swift programs uses a special msgSend call mechanism in their objective-oriented programming. The special mechanism requires to identify both the name of methods and the type of objects being called.

2.    Objective-C and Swift allows calling functions asynchronously. Such an asynchronous calling approach requires solving the call targets and passed parameters.

3.    Objective-C and Swift are objective-oriented programming languages. For such languages, information flow analysis like taint tracking always has to handle data transmission between objects with field-sensitive granularity to ensure its precision. Such granularity requires the propagation policy to carefully handle issues like load/store in objects’ memory areas and calls to objects’ setter/getter functions.

4.    Even after taint tracking on iOS Apps is developed, it is still necessary to solve issues in applying such a technique on analyzing Apps’ privacy and security problems, e.g., how to set source/sink points, and how to examine existence of security/privacy checks along taint propagation paths.

In specific, this project aims at solving above obstacles and at least achieving goals as follows. The experiments will be conducted on 100 Apps of Alibaba Group and at least top 1000 Apps from App Store.

1)    Solve the targets of over 95% msgSend indirect calls, including both the object types and method names in these callsites.

2)    Solve the targets of over 85% asynchronous calls, including the functions being called and arguments/variables passed in.

3)    Given at least 100 manually confirmed information flow cases, over 80% cases can be successfully identified with taint tracking.

4)    Given APIs of collecting sensitive information like location/unique identifiers/contacts and APIs of loading/storing/transferring data, reports of how Apps are using the collected data can be generated.

5)    At least 1 kind of security hazard, e.g. SQL injection/code injection caused by insufficient parameter checking can be identified.

Program analysis on iOS Apps to find security/privacy problems has been studied in academic papers for several years. PiOS[1] is the first public-known paper trying to solve msgSend indirect calls in iOS Apps. Based on similar approach, [2] examines unauthorized cross-app resource access problems in macOS/iOS apps. [3] tries to find potentially harmful libraries on android and ios with a cross-platform analysis. Iris[4] aims at detecting private API abuse with both static and dynamic analysis. iService[5] proposes an approach to detect confused deputies in AppleOS system services. Most of these related works analyze only on the control flow or partial data flow in iOS Apps. Little attention has been focused on advanced data flow analysis like taint tracking on iOS Apps.

[1] Egele, M., Kruegel, C., Kirda, E., & Vigna, G. (2011, February). PiOS: Detecting Privacy Leaks in iOS Applications. In NDSS (pp. 177-183).

[2] Xing, L., Bai, X., Li, T., Wang, X., Chen, K., Liao, X., ... & Han, X. (2015, October). Cracking app isolation on apple: Unauthorized cross-app resource access on MAC os~ x and ios. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 31-43).

[3] Chen, K., Wang, X., Chen, Y., Wang, P., Lee, Y., Wang, X., ... & Zou, W. (2016, May). Following devil's footprints: Cross-platform analysis of potentially harmful libraries on android and ios. In 2016 IEEE Symposium on Security and Privacy (SP) (pp. 357-376). IEEE.

[4] Deng, Z., Saltaformaggio, B., Zhang, X., & Xu, D. (2015, October). iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 44-56).

[5] Wang, Y., Hu, Y., Xiao, X., & Gu, D. (2022, December). iService: Detecting and Evaluating the Impact of Confused Deputy Problem in AppleOS. In Annual Computer Security Applications Conference (pp. 964-977).