With the introduction of Apple’s iOS and Google’s Android operating systems, the sales of smartphones have exploded. These smartphones have become powerful devices that are basically miniature versions of personal computers. However, the growing popularity and sophistication of smartphones have also increased concerns about the privacy of users who operate these devices. These concerns have been exacerbated by the fact that it has become increasingly easy for users to install and execute third-party applications. To protect its users from malicious applications, Apple has introduced a vetting process. This vetting process should ensure that all applications conform to Apple’s (privacy) rules before they can be offered via the App Store. Unfortunately, this vetting process is not welldocumented, and there have been cases where malicious applications had to be removed from the App Store after user complaints.
With the introduction of Apple's iOS and Google's Android
operating systems, the sales of smartphones have exploded.
These smartphones have become powerful devices
that are basically miniature versions of personal computers.
However, the growing popularity and sophistication of
smartphones have also increased concerns about the privacy
of users who operate these devices. These concerns
have been exacerbated by the fact that it has become increasingly
easy for users to install and execute third-party
applications. To protect its users from malicious applications,
Apple has introduced a vetting process. This vetting
process should ensure that all applications conform to
Apple's (privacy) rules before they can be offered via the
App Store. Unfortunately, this vetting process is not welldocumented,
and there have been cases where malicious
applications had to be removed from the App Store after
user complaints.
In this paper, we study the privacy threats that applications,
written for Apple's iOS, pose to users. To this end,
we present a novel approach and a tool, PiOS, that allow
us to analyze programs for possible leaks of sensitive information
from a mobile device to third parties. PiOS uses
static analysis to detect data flows in Mach-0 binaries, compiled
from Objective-C code. This is a challenging task due
to the way in which Objective-C method calls are implemented.
We have analyzed more than 1,400 iPhone applications.
Our experiments show that, with the exception of a
few bad apples, most applications respect personal identifiable
information stored on user's devices. This is even true
for applications that are hosted on an unofficial repository
(Cydia) and that only run on jailbroken phones. However,
we found that more than half of the applications surreptitiously
leak the unique ID of the device they are running on.
This allows third-parties to create detailed profiles of users'
application preferences and usage patterns