Automatic detection of incorrect SSL API usages for native iOS applications

AuthorTröger, Michael; Waidner, Michael; Rückriegel, Christian; Huber, Stephan
TypeMaster Thesis
AbstractMany mobile apps communicate with servers to provide their service. In order to protect user data, they often use a secure communication channel via Secure Sockets Layer (SSL) or Transport Layer Security (TLS). The server presents a certificate to prove his authenticity. The client is obligated to correctly check the validity of the certificate to prevent man-in-the-middle attacks, which would allow an adversary to eavesdrop or manipulate the connection. Previous research has shown that many SSL/TLS libraries can be misconfigured by developers. This might happen when the developer wants to implement his own certificate check to realize certificate pinning and makes mistakes in this process. It might also be the case that the developer misunderstands the Application Programming Interface (API) of the library and uses it incorrectly, rendering the connection insecure. It is also possible that debugging code disabling the certificate check is accidentally left in the productive program. Therefore, our assumption was that there might exist vulnerable iOS apps. An automated analysis could help to identify such vulnerabilities. Related work engaged in finding incorrect SSL/TLS usages in programs by using an automated analysis but these approaches only work on C source code or on Java code. Apps for Apples iOS are shipped in binary form, the source code is rarely accessible. This work presents a proof of concept analysis, ancafis, to statically detect incorrect usages of SSL/TLS libraries in native arm64 iOS binaries, which effectively disable the certificate check. The analysis statically reads the binary and constructs a Program Dependency Graph (PDG) of certificate checking functions. Signatures model correct or incorrect usages of different SSL/TLS libraries. They are executed on the resulting PDG to find vulnerabilities. The focus of this thesis is OpenSSL and Apples NSURLConnection library. Various aspects of ancafis are tested. Example apps verify the correctness of the analysis. In a study, 69 real world apps which overwrite the certificate check were taken from the Appstore and analyzed by ancafis. It was able to find 10 vulnerabilities in these real world apps, showing that it is possible to find incorrect usages of SSL/TLS libraries in native iOS apps.
Darmstadt, TU, Master Thesis, 2017