Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior---the way the mobile apps process and respond to data entered by users---can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, InputScope, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested InputScope with over 150,000 mobile apps, including popular apps from major app stores and pre-installed apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.
more »
« less
Understanding iOS-based crowdturfing through hidden UI analysis
A new type of malicious crowdsourcing (a.k.a., crowdturfing) clients, mobile apps with hidden crowdturfing user interface (UI), is increasingly being utilized by miscreants to coordinate crowdturfing workers and publish mobile-based crowdturfing tasks (e.g., app ranking manipulation) even on the strictly controlled Apple App Store. These apps hide their crowdturfing content behind innocent-looking UIs to bypass app vetting and infiltrate the app store. To the best of our knowledge, little has been done so far to understand this new abusive service, in terms of its scope, impact and techniques, not to mention any effort to identify such stealthy crowdturfing apps on a large scale, particularly on the Apple platform. In this paper, we report the first measurement study on iOS apps with hidden crowdturfing UIs. Our findings bring to light the mobile-based crowdturfing ecosystem (e.g., app promotion for worker recruitment, campaign identification) and the underground developer's tricks (e.g., scheme, logic bomb) for evading app vetting.
more »
« less
- Award ID(s):
- 1801432
- NSF-PAR ID:
- 10172762
- Date Published:
- Journal Name:
- SEC'19: Proceedings of the 28th USENIX Conference on Security Symposium
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Background Digital health is poised to transform health care and redefine personalized health. As Internet and mobile phone usage increases, as technology develops new ways to collect data, and as clinical guidelines change, all areas of medicine face new challenges and opportunities. Inflammatory bowel disease (IBD) is one of many chronic diseases that may benefit from these advances in digital health. This review intends to lay a foundation for clinicians and technologists to understand future directions and opportunities together. Objective This review covers mobile health apps that have been used in IBD, how they have fit into a clinical care framework, and the challenges that clinicians and technologists face in approaching future opportunities. Methods We searched PubMed, Scopus, and ClinicalTrials.gov to identify mobile apps that have been studied and were published in the literature from January 1, 2010, to April 19, 2019. The search terms were (“mobile health” OR “eHealth” OR “digital health” OR “smart phone” OR “mobile app” OR “mobile applications” OR “mHealth” OR “smartphones”) AND (“IBD” OR “Inflammatory bowel disease” OR “Crohn's Disease” (CD) OR “Ulcerative Colitis” (UC) OR “UC” OR “CD”), followed by further analysis of citations from the results. We searched the Apple iTunes app store to identify a limited selection of commercial apps to include for discussion. Results A total of 68 articles met the inclusion criteria. A total of 11 digital health apps were identified in the literature and 4 commercial apps were selected to be described in this review. While most apps have some educational component, the majority of apps focus on eliciting patient-reported outcomes related to disease activity, and a few are for treatment management. Significant benefits have been seen in trials relating to education, quality of life, quality of care, treatment adherence, and medication management. No studies have reported a negative impact on any of the above. There are mixed results in terms of effects on office visits and follow-up. Conclusions While studies have shown that digital health can fit into, complement, and improve the standard clinical care of patients with IBD, there is a need for further validation and improvement, from both a clinical and patient perspective. Exploring new research methods, like microrandomized trials, may allow for more implementation of technology and rapid advancement of knowledge. New technologies that can objectively and seamlessly capture remote data, as well as complement the clinical shift from symptom-based to inflammation-based care, will help the clinical and health technology communities to understand the full potential of digital health in the care of IBD and other chronic illnesses.more » « less
-
It has been demonstrated in numerous previous studies that Android and its underlying Linux operating systems do not properly isolate mobile apps to prevent cross-app side- channel attacks. Cross-app information leakage enables malicious Android apps to infer sensitive user data (e.g., passwords), or private user information (e.g., identity or location) without requiring specific permissions. Nevertheless, no prior work has ever studied these side-channel attacks on iOS-based mobile devices. One reason is that iOS does not implement procfs— the most popular side-channel attack vector; hence the previously known attacks are not feasible. In this paper, we present the first study of OS-level side-channel attacks on iOS. Specifically, we identified several new side-channel attack vectors (i.e., iOS APIs that enable cross-app information leakage); developed machine learning frameworks (i.e., classification and pattern matching) that combine multiple attack vectors to improve the accuracy of the inference attacks; demonstrated three categories of attacks that exploit these vectors and frameworks to exfiltrate sensitive user information. We have reported our findings to Apple and proposed mitigations to the attacks. Apple has incorporated some of our suggested countermeasures into iOS 11 and MacOS High Sierra 10.13 and later versions.more » « less
-
Cloud backends provide essential features to the mobile app ecosystem, such as content delivery, ad networks, analytics, and more. Unfortunately, app developers often disregard or have no control over prudent security practices when choosing or managing these services. Our preliminary study of the top 5,000 Google Play Store free apps identified 983 instances of N-day and 655 instances of 0-day vulnerabilities spanning across the software layers (OS, software services, communication, and web apps) of cloud backends. The mobile apps using these cloud backends represent between 1M and 500M installs each and can potentially affect hundreds of thousands of users. Further, due to the widespread use of third-party SDKs, app developers are often unaware of the backends affecting their apps and where to report vulnerabilities. This paper presents SkyWalker, a pipeline to automatically vet the backends that mobile apps contact and provide actionable remediation. For an input APK, SkyWalker extracts an enumeration of backend URLs, uses remote vetting techniques to identify software vulnerabilities and responsible parties, and reports mitigation strategies to the app developer. Our findings suggest that developers and cloud providers do not have a clear understanding of responsibilities and liabilities in regards to mobile app backends that leave many vulnerabilities exposed.more » « less
-
The prosperity of smartphone markets has raised new concerns about software security on mobile platforms, leading to a grow- ing demand for effective software obfuscation techniques. Due to various differences between the mobile and desktop ecosystems, ob- fuscation faces both technical and non-technical challenges when applied to mobile software. Although there have been quite a few software security solution providers launching their mobile app obfuscation services, it is yet unclear how real-world mobile devel- opers perform obfuscation as part of their software engineering practices. Our research takes a first step to systematically studying the deployment of software obfuscation techniques in mobile software development. With the help of an automated but coarse-grained method, we computed the likelihood of an app being obfuscated for over a million app samples crawled from Apple App Store. We then inspected the top 6600 instances and managed to identify 601 obfuscated versions of 539 iOS apps. By analyzing this sample set with extensive manual effort, we made various observations that reveal the status quo of mobile obfuscation in the real world, providing insights into understanding and improving the situation of software protection on mobile platforms.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.5555/3361338.3361391
