AppBeach: A Static Behavior Checker for iOS Mobile Applications

Fang Yu；Steven Tai；Tang-Wei Shao；Wei-Ren Wang

資訊安全通訊

21卷2期（2015 / 04 / 01）

41 - 51

英文

AppBeach standing on App Behavior Checker is a new service to reconstruct and report behaviors of iOS mobile applications, using static binary analysis to reveal embedded functions within the executables. AppBeach adopts a distributed algorithm on call sequence counting via the hadoop framework, achieving a scalable static syntax analysis on executables of modern apps. The main idea is syntactically counting call sequences that are embedded in iOS executable. This is done by distributing routines to mappers with the assembly tool that resolves explicit and implicit system method calls that are embedded in the iOS executables. The reducer then collects the counting from mappers to characterize the behaviors of apps. We learn patterns of malicious behaviors from the difference of pairs of normal and malicious apps, and report the probability of potential behaviors of commercial apps by matching these patterns to their call sequence counts.

1. IDA Pro, https://www.hex-rays.com/products/ida.
2. Path, http://www.wired.com/2012/02/path-social-media-app-uploads-ios-address-booksto-its-servers/, 2012.
3. Find and Call, http://www.wired.com/2012/07/first-ios-malware-found, 2012.
4. AppBeach, http://soslab.nccu.edu.tw/appbeach, 2014
5. Babi´c, D.,Reynaud, D.,Song, D.(2011).Malware analysis with tree automata inference.Proceedings of the 23rd International Conference on Computer Aided Verification, CAV'11
6. Bergeron, J.,Debbabi, M.,Desharnais, J.,Erhioui, M. M.,Lavoie, Y.,Tawbi, N.(2001).Static detection of malicious code in executable programs.J. of Req. Eng
7. Egele, M.,Kruegel, C.,Kirda, E.,Pios, G. Vigna.(2011).Detecting privacy leaks in ios applications.NDSS
8. Hazelwood, K.,Klauser, A.(2006).A dynamic binary instrumentation engine for the arm architecture.Proceedings of the 2006 International Conference on Compilers,Architecture and Synthesis for Embedded Systems, CASES'06,New York, NY, USA:
9. Livshits, B.,Jung, J.(2013).Automatic mediation of privacy-sensitive resource access in smartphone applications.Proceedings of the 22Nd USENIX Conference on Security SEC'13,Berkeley, CA, USA:
10. Mann, C.,Starostin, A.(2012).A framework for static detection of privacy leaks in android applications.Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC'12
11. Nethercote, N.,Seward, J.(2007).Valgrind: A framework for heavyweight dynamic binary instrumentation.Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI'07,New York, NY, USA:
12. Szydlowski, M.,Egele, M.,Kruegel, C.,Vigna, G.(2012).Challenges for dynamic analysis of ios applications.Proceedings of the 2011 IFIP WG 11.4 International Conference on Open Problems in Network Security, iNetSec'11,Berlin, Heidelberg:
13. Theiling, H.(2000).Extracting safe and precise control flow from binaries.Proceedings of the Seventh International Conference on Real-Time Systems and Applications, RTCSA '00,Washington, DC, USA:
14. Werthmann, T.,Hund, R.,Davi, L.,Sadeghi, A.-R.,Psios, T. Holz.(2013).Bring your own privacy security to ios devices.Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS '13,New York, NY, USA:
15. Yu, F.,Lee, Y.-C.,Tai, S.,Tang, W.-S.(2013).Appbeach: Characterizing app behaviors via static binary analysis.Proceedings of the 2013 IEEE Second International Conference on Mobile Services, MS '13,Washington, DC, USA:
16. Zhou, Y.,Wang, Z.,Zhou, W.,Jiang, X.(2012).Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets.Proceedings of the 19th Annual Network & Distributed System Security Symposium, NDSS'12