报 告 人: Jianying Zhou 研究员
新加坡资讯通信研究院(I2R)
报告题目: Mobile Platform and Application Security
时 间:2013年11月29日(星期五)下午15:30
地 点:仓山校区成功楼603教室
主 办:数学与计算机科学学院,
福建省网络安全与密码技术重点实验室
参加对象:数计学院部分教师和研究生
报告摘要:
Smartphones become more and more popular. Android and iOS are two dominant mobile operating systems on the market. An interesting question is which one is more secure. We made a comparison by investigating applications that run on both Android and iOS and examining the difference in the usage of their security sensitive APIs (SS-APIs). We developed static analysis tools to perform massive static analysis for cross-platform applications on their SS-API usage. Our analysis showed that applications on iOS tend to use more SS-APIs compared to their counterparts on Android, and are more likely to access sensitive resources that may cause privacy breaches or security risks without being noticed.
We also proposed a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices, and constructed multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user's awareness. Our applications embedded with the attack codes passed Apple's vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple's vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. Our work helped Apple to fix the vulnerabilities in the latest release of iOS 7.
专家简介:
