Featured Research

from universities, journals, and other organizations

Friendly app attacks detect vulnerabilities

Date:
December 4, 2013
Source:
The Agency for Science, Technology and Research (A*STAR)
Summary:
Hacking programs disguised as games are helping Apple to improve the security of devices operating on its iOS platform.

Hacking programs disguised as games are helping Apple to improve the security of devices operating on its iOS platform.

Software companies work hard to protect their customers' personal data from malicious applications, or 'apps', but even the most secure devices can be vulnerable. Skilled and independent computer scientists, such as Jin Han and co-workers at the A*STAR Institute for Infocomm Research and the Singapore Management University, can greatly assist companies by spotting security weaknesses before they are exploited.

Han and co-workers recently published a detailed comparison of the two very different security models used by the big players in mobile software, Apple's iOS platform and Google's Android1. Now, the researchers have developed subtle attack apps that test the secretive model of mobile security used in iOS2.

Apple's preferred security model is 'closed source'. This means that the company does not publish details of how apps are vetted before becoming available in their iTunes Store. Apple also refrains from publishing the internal code that decides whether apps can control phone functions such as contacts, calendars or cameras.

Despite this secrecy, the researchers were able to develop generic attack codes that enabled third-party control of iOS devices. They demonstrated seven different attack apps, disguised as games, that performed malicious actions including cracking the device's PIN, taking photographs and sending text messages without the user's awareness.

"We utilized private function calls to gain privileges that are not intended for third-party developers," explains Han. "Furthermore, we found a way to bypass Apple's vetting process so that our apps, embedded with proof-of-concept attacks, could be published on iTunes."

The attack apps worked on both iOS 5 and 6, although the team was careful to include secret triggers to protect any public users. The researchers have shared all of their findings with Apple and published recommendations on how the company should fix these vulnerabilities.

"Apple responded very quickly after we informed them about our findings, and before the release of the new iOS 7 platform," says Han. He expects that the company adopted countermeasures similar to those described in his team's paper, but cannot confirm this since iOS is closed source.

The ongoing debate over open- versus closed-source development will continue to rage among information technology specialists. Nevertheless, Han notes that their attack-app codes could, with some modifications, probably also bypass the permissions-based security model used in Android. "My personal opinion is that closed-source development is not good for security. A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. I think the same principle applies to operating systems."

The A*STAR-affiliated researchers contributing to this research are from the Institute for Infocomm Research.


Story Source:

The above story is based on materials provided by The Agency for Science, Technology and Research (A*STAR). Note: Materials may be edited for content and length.


Journal Reference:

  1. Jin Han, Su Mon Kywe, Qiang Yan, Feng Bao, Robert Deng, Debin Gao, Yingjiu Li, Jianying Zhou. Launching Generic Attacks on iOS with Approved Third-Party Applications. Applied Cryptography and Network Security Lecture Notes in Computer Science, 2013 DOI: 10.1007/978-3-642-38980-1_17

Cite This Page:

The Agency for Science, Technology and Research (A*STAR). "Friendly app attacks detect vulnerabilities." ScienceDaily. ScienceDaily, 4 December 2013. <www.sciencedaily.com/releases/2013/12/131204090800.htm>.
The Agency for Science, Technology and Research (A*STAR). (2013, December 4). Friendly app attacks detect vulnerabilities. ScienceDaily. Retrieved August 2, 2014 from www.sciencedaily.com/releases/2013/12/131204090800.htm
The Agency for Science, Technology and Research (A*STAR). "Friendly app attacks detect vulnerabilities." ScienceDaily. www.sciencedaily.com/releases/2013/12/131204090800.htm (accessed August 2, 2014).

Share This




More Computers & Math News

Saturday, August 2, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Google Mystery Barge Headed For The Scrap Yard

Google Mystery Barge Headed For The Scrap Yard

Newsy (Aug. 1, 2014) We may never know what was going on inside one of Google's mystery barges in Portland, Maine as it's now headed for the scrap yard. Video provided by Newsy
Powered by NewsLook.com
Escaping Email: Inspired Vision or Pipe Dream?

Escaping Email: Inspired Vision or Pipe Dream?

AP (Aug. 1, 2014) Dustin Moskovitz is plotting an escape from email, using his communications expertise in an attempt to change the way people connect at work, where the incessant drumbeat of email has become an excruciating annoyance. (Aug. 1) Video provided by AP
Powered by NewsLook.com
Google (Kind Of) Complies With 'Right To Be Forgotten Law'

Google (Kind Of) Complies With 'Right To Be Forgotten Law'

Newsy (July 31, 2014) Google says it is following Europe's new "Right To Be Forgotten Law," which eliminates user information upon request, but only to a certain degree. Video provided by Newsy
Powered by NewsLook.com
Tesla, Panasonic Ink Deal To Make Huge Battery 'Gigafactory'

Tesla, Panasonic Ink Deal To Make Huge Battery 'Gigafactory'

Newsy (July 31, 2014) The deal will help build a massive battery factory that Tesla says will produce 500,000 lithium batteries by 2020. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins