2015 Mobile Security vulnerability Annual Report--Ali Poly Security

Reprint: http://jaq.alibaba.com/community/art/show?articleid=194

2015 Mobile Security Vulnerability Annual Report

Chapter 2015 Application Vulnerabilities1.1. Open application vulnerability types and distributions in the industry

2015 is an extraordinary year, all sectors of the media to the mobile application of the vulnerability concern is also more and more high, the emergence of loopholes not only bring user equipment and information security impact, but also to enterprises to bring business or reputation loss.

Ali Poly Security Weekly to 50 well-known security companies, media, vulnerability platform of the situation analysis, domestic and foreign mobile security incidents and information concerns are still around the operating system and mobile applications of the technical risks, in which the domestic more attention to the vulnerability of mobile applications risk. The following data conclusions come from the safety of Ali gather security to the industry risk situation statistics.

1. Industry Distribution

According to the disclosure of vulnerability data statistics, the proportion of the industry that the vulnerability is generated is similar to the proportion installed in the user equipment, the Application tool class has the highest percentage of vulnerabilities, up to 54%; Game application vulnerability accounted for the lowest, 2%, because most of the users of the mobile phone installed less game applications, and game application update iteration speed fast , the vulnerability is not easy to dig deep.

Figure 1 The industry distribution of public vulnerabilities in 2015

2. Vulnerability Type

A mobile app is a bridge between connecting users and businesses, interacting directly with users in smart devices, and transmitting business requests to back-end servers through a communications link. Security researchers from mobile applications for the portal, the application for vulnerability mining and business security analysis, the data show that most of the high-risk vulnerabilities in the service-side link.

Of the vulnerability data disclosed in 2015, 71% of the vulnerabilities were focused on mobile business gateways, server-side, and attackers analyzed mobile applications as portals, and vulnerability generation and repair needed to be done on the server side. At this stage, a large number of business from the traditional PC to mobile, running business logic on the server is a more secure and low-cost implementation, but also confirms the above data. However, because the business logic is processed on the server side, if the client does not make strong and effective security check, the client is easily exploited by hackers to exploit the business risk vulnerability of the server. Alibaba secure security components provide mobile application access to the network's signature, encryption, can be from the attack behavior to avoid hackers to tamper with the packet, mining service side of the vulnerability.

The mobile app itself causes a total of 25% vulnerabilities, with a denial of service vulnerability applied that accounts for One-fourth of client vulnerabilities. From the vulnerability details, the Code execution vulnerability is more interpreted than last year's single WebView Remote command execution, as the instructions reserved in the code are executed. A logical class of vulnerabilities, such as the above, often requires consideration of the risk of being bypassed and attacked in a particular business scenario. Incorporating security processes into the software development lifecycle is the best way to circumvent such vulnerabilities. Security Review ensures that business logic is not bypassed, the accuracy and security of user data flow is ensured before the code implements the functionality.

Figure 2 2015 Application Vulnerability type distribution

1.2. Mobile Application Vulnerability Analysis

To analyze the vulnerability of various industries in mobile applications, we downloaded a total of 180 Top10 applications from 18 industries in the third-party application market, using the Ali-security vulnerability scanning engine to scan this batch of samples for vulnerability. Of the 18 industry TOP10 applications, 97% of the applications are vulnerable, with a total of 15,159 vulnerabilities, an average of 87 vulnerabilities per application, and 23% of TOP10 applications with high-risk vulnerabilities.

1 , 18 Industry TOP10 application Vulnerabilities

WebView Remote code execution vulnerabilities accounted for the highest, up to 21%,webview Remote code execution vulnerability caused by the main reason is to call the WebView Addjavascriptinterface method, the security risk of the method only in the Android API Version 17 and later will be fixed by Google. As the model of the following API 17 in the market still accounted for 20%, so many developers for compatibility also set the minimum version of Android app support under API 17, resulting in the volume of the vulnerability has not dropped.

Figure 3 Number of vulnerabilities applied by industry TOP10

Industry TOP10 android Application of 15,159 risk vulnerabilities, 23% is a high-risk vulnerability, 64% is a medium-critical vulnerability, low-risk vulnerability accounted for only 13%.

Figure 4 Risk distribution of TOP10 android application vulnerability

Of all the vulnerabilities in 26% is to reach the security red line, the vulnerability of the red line is vulnerable to exploitation by attackers, Ali Poly security developers to repair as soon as possible to avoid affecting the mobile

Security of the business.

High-risk vulnerability, mid-crisis vulnerability, low-risk vulnerability, the proportion of the Red Line vulnerability is 17%, 16%, 88%. Low-risk vulnerabilities in the red line of the largest proportion of the vulnerability, such as denial of service vulnerability, is exploited will result in application denial of service, but its repair cost is low, it is recommended that developers scan for verification and repair as soon as possible.

Figure 5 Top10 vulnerability to security red Line

1. key Industry Vulnerability Analysis

18 Industries, tourism application of the most loopholes, accounting for the total number of loopholes in all sectors of 13%, e-commerce, games, finance and other consumer property closely related industries, the number of loopholes is relatively small, accounting for all sectors of the total loopholes of 6%, 5%, and 4%.

Financial TOP10 Android Application Although the total number of loopholes ranked, but its high-risk vulnerability accounted for up to 34%, ranked first in the industry, it deserves attention.

Figure 6 The number of vulnerabilities in 18 industries TOP10 Android Apps

1) e-commerce industry Top10 android Application Vulnerability

E-commerce TOP10 application has 851 vulnerabilities, the average application contains 85 vulnerabilities, of which about 27% are webview remote code Execution High-risk vulnerability, can lead to malicious applications are implanted, contacts and SMS is stolen, mobile phone is remote control and other serious consequences.

E-commerce top10android application of 851 vulnerabilities, about 27% is a high-risk vulnerability, more than 18 industries of high-risk vulnerability of 17%, and e-commerce applications and user funds are closely related, developers can refer to the security provided by Ali Poly solution to repair, to ensure that the user's interests and corporate reputation are not affected.

Figure 7 Distribution of vulnerability categories used by e-commerce Top10

2) gaming industry Top10 Android App Vulnerability

The game class Top10 Android app has 788 vulnerabilities, with an average of 79 vulnerabilities per app. 29% of these are WebView remote code execution high-risk vulnerabilities.

Game class Top10 Android app 788 vulnerabilities, about 19% is a high-risk vulnerability, than 18 of the industry's high-risk vulnerability is 17% low, in 18 industries, the relatively small number of high-risk vulnerabilities. The game application update iteration frequency is high, the fund, the user downloads the large quantity, the existence flaw risk also cannot neglect.

Figure 8 The distribution of vulnerability categories in game class TOP10 applications

3) Financial Industry Top10 Android App Vulnerability

The financial class Top10 Android app has 669 vulnerabilities, with an average of 67 vulnerabilities, 22% of which are WebView remote code execution high-risk vulnerabilities.

Of the 669 vulnerabilities in the financial TOP10 Android app, about 34% are high-risk vulnerabilities, 48% higher-risk vulnerabilities than 18 industries, and the highest-risk vulnerabilities in 18 industries. Because the financial application is closely related to the user's property, there is a huge risk to the user's property caused by the hidden loopholes.

Figure 9 Distribution of vulnerability categories in the financial TOP10 Android app

1.3. Typical application vulnerability

Due to the openness of the Android system itself, compared to the 2014 WebView Remote Command execution vulnerability, the researchers in 2015 discovered a number of new Common vulnerability types for Android applications that could be found by code rules, by investigating the operational mechanisms of mobile applications in the system. Vulnerability avoidance in the development phase.

1. Android Generic Denial of service vulnerability

In January 2015, researchers at domestic security firms found an Android-generic denial-of-service vulnerability that could allow a malicious attacker to use the vulnerability to cause an app crash to fail to function properly. Almost all Android apps on the market were affected when the vulnerability was released, with an average of more than 10 vulnerabilities per application in the early days of the vulnerability announcement.

The vulnerability is due to the Getstringextra of the Android API, such as the Getxxxextra class function, when acquiring a value, if it gets to a custom serialization class, it throws the class undefined exception, causing the application to crash. The fix for the vulnerability is relatively simple, with little impact on business code logic, and only needs to be added to the try catch catch exception.

The Ali security vulnerability scanning engine has dynamic fuzz capabilities to pinpoint the vulnerability.

2. remote control risk due to port opening

Today, more and more mobile applications in the market to meet business needs, such as the exchange of location information, or receive other applications and server transport business instructions, so when the application is running, open the port can be accessed, through the port to receive data to local. Once the port access control is not rigorous and is exploited maliciously by the attacker, the application may receive forged protocol instructions and the reserved business functions are further exploited maliciously. Open ports are an important way to remotely control the various SDK backdoor events that broke out in 2015.

October 2015 domestic security researcher discovered wormhole loophole, pointed out that Baidu's Moplus SDK exists to collect user and device information, as well as add contacts, call and send SMS and other sensitive function code, because the application is running when the local TCP port (40310), Allows an attacker to obtain sensitive information by sending requests to that port, and to perform sensitive functions reserved in the code.

3. parasitic beast loophole

The "parasitic beast" vulnerability is a code hijacking vulnerability, but the impact is very limited because the exploit is more demanding. In the case of satisfying a hijacked network download environment, tamper-proof application public storage area, or file decompression without lawful verification, it can achieve the purpose of hijacking code and executing malicious program, and once the success is exploited it is a high-risk loophole.

The vulnerability principle is that Android apps use Dexclassloader dynamic Loading and reflection at runtime to invoke a separate apk or jar file with certain features to implement a plug-in mechanism for seamless upgrades and feature extensions. function Dexclassloader The second parameter is the target Odex path, if the application does not protect the cache file under the Odex path, it is possible to execute code in the context of an intermediary attack, file substitution, and so on.

By analyzing the execution environment and conditions of malicious code, the Ali secure vulnerability scanning engine discovers the vulnerability of an application from the point of attack path. Based on the results of the scan, fewer applications are currently affected by the vulnerability on the market.

1.4. Apply security incidents 1. xcodeghost-- Compiler Backdoor

September 14, 2015, domestic security researchers found that a large number of well-known iOS applications to a third-party server to send a large number of requests, level hundreds of millions of user information leakage risk. Ali Mobile Security By analyzing samples of such iOS applications, a security bulletin was issued to the developer on September 17 to name the virus xcodeghost, which contains sample details, inspection and remediation measures. Because of the use of unofficial download, the malicious tampering of the iOS app compilation software Xcode caused. The third-party server that received the sensitive information after the security bulletin was released was shut down urgently, but then Ali Mobile security researchers found that there were still attackers who were hijacked by the network, the "interception" of the user's sensitive information, the impact is not stopped.

According to statistics, the use of this malicious Xcode developed iOS app up to 4300 +, even contains the market in the top ten of the application, including but not limited to, NetEase Cloud music, railway 12306 and other daily tool software, and even banking applications. Apple's official announcement then confirmed the XcodeGhost's impact and AppStore all the affected applications in the official App Store. This event is known to affect the largest number of users, loaded into the annals of mobile security.

The source of the event is the developer's development tool, which is more convenient and quick to download to the iOS app, and is downloaded through unofficial channels or peer-to download tools, which makes it possible for a malicious attacker to inject malicious code into the compilation library in Xcode. The Backdoor program (XcodeGhost) was planted by the iOS app that caused it to be compiled. The backdoor program is capable of uploading sensitive information to the attacker's server, receiving control commands, executing open Web pages, sending text messages, and making calls.

The harm of xcodeghost in Figure ten

2. SDK Security event Storm--sdk Backdoor

The 2015 security incidents caused by third-party SDKs have led to industry shocks and concerns about mobile application security.

September 22, security researchers found that the popular game graphics rendering components Unity3d, cocos2d-x, also found in the unofficial download channel version contains features similar to XcodeGhost. In addition, there are meters, multi-AU, adsage, Wanpo and other SDKs have also been pointed out to collect user privacy information, and the Apple Mall AppStore the lower shelf, the impact of thousands of applications. Some of these SDKs even affect both Android and iOS, with full-platform compatibility. Some SDK before publishing to the Apple Mall, closed the function of collecting data "switch", so the audit escaped the Apple Mall Auditor inspection, in the AppStore shelves successful, user installation run and then remote open "switch", real-time acquisition of user privacy data or execution of other business instructions-"switch" The behavior is also blacklisted by Apple Mall auditors.

3. Wormhole loophole--"Baidu family Barrel"

November 2015, Baidu Series application was exploded "wormhole" vulnerability, can be used to remotely perform sensitive operations: Call, send text messages, access to user privacy information. And the source is Baidu's Moplus SDK, Baidu and most of its products are integrated, so the netizen is called "Baidu family Barrels." Wormhole vulnerability is based on Baidu's advertising port exists authentication and permissions control defects, and this port is used for advertising web pages, upgrade download, the use of promotion. However, the various types of sensitive code reserved in the Moplus code (Operation address Book, telephone, SMS, etc.) make the wormhole once exploited, because the number of users covers billions.

1.5, the development trend of the application of loopholes

1. Vulnerability concerns gradually shifting from application vulnerability to business logic vulnerability

Android Market TOP10 apps have 87 vulnerabilities per application on average. A large number of applications still contain many types of vulnerabilities, high because of the lack of security awareness of developers: if the mobile side of the vulnerability is more difficult to affect the normal business operations, or consider the cost of exploitation is higher, need to hijack or have certain trigger conditions.

However, from the information collected by the industry, most of the high-risk vulnerabilities are focused on the types of logic vulnerabilities, such as design flaws and authentication authorization, which require manpower research and analysis. Once triggered, this kind of vulnerability can directly affect user data and Business Server's normal operation process, resulting in a large amount of capital loss, information leakage events. Although the analysis cost of the vulnerability is higher, but the utilization effect is better, balanced attack cost and revenue, there will be more business logic vulnerabilities in the future to uncover and even generate security incidents.

2. disclosure of user privacy information will be the biggest risk of business mobility

Ali Poly Security to the domestic and foreign markets in the application of vulnerability scanning, found that the foreign market is also countless loopholes, but foreign mobile application business more concerned about information leakage. From the 2015 foreign media reports, whether it is Apple AppStore or Google Play, will be very concerned about the user's privacy data storage transmission problem, but the market will not because of the application of loopholes and directly punish the next, but once the touch of privacy data is hard to blame.

Foreign media is also concerned about the clear-text storage and transmission of information, such as the Afnetworking Network Library SDK, has not been strong verification of the server-side HTTPS certificate problem was criticized by the media. Today's user habits have been mobile, information leakage will be the biggest risk of mobile, is the future of long-term topic.

3. developers need to take into account the potential risks of the development environment

In the 2015, the Application Security event, the development of software, third-party SDK and other development environment caused by a large number of users have suffered, and triggered the industry public opinion. Mobile app developers need to be more aware of the potential risks of the development environment while focusing on whether their application has a security risk vulnerability. Due to the problem of slow release and long repair period in mobile application, how to remove and repair the fast and dynamically update the security of each manufacturer will be a problem that needs constant attention in the future. Developers can use the security hardening services of Ali to enhance the analysis cost of malicious attackers and protect application security.

Chapter II 2015 Android System Vulnerability 2.1, Android System Vulnerability overview

In 2015, the overall vulnerability of Android systems exploded in an explosive growth. Among them, the application Framework & libraries of the total number of vulnerabilities amounted to 130, up 1082% yoy. Both in absolute numbers and in terms of the rate of vulnerability growth, they are the first since 2009. At the same time, Linux kernel still have many rights to exploit the security of Android system, such as general-purpose exploit cve-2015-3636 and a lot of rights in the device driver, such as cve-2015-8307/cve-2015-8680.

The rapid increase in the vulnerability of Android in 2015 was due mainly to the increasing number of researchers focusing on mobile security. With the increasing importance of mobile security, we believe that the number of vulnerabilities in the 2016 Android system will remain at a higher level.

Figure one application Framework & Libraries Vulnerability growth trend

In the 2015 Application Framework & Libraries Vulnerability, the top three categories of vulnerabilities were code execution, overflow, and denial of service vulnerabilities, accounting for 26%, 23%, and 20%, respectively. Among them, the number of code execution vulnerabilities raised by the Media Library is approximately 40% of the total Code execution vulnerability. In Linux kernel, in addition to kernel common code vulnerabilities, device drivers remain a security vulnerability in the hardest hit.

Figure Application Framework & Libraries Vulnerability category proportion.

2.2. Typical Android System vulnerability

1. Code Execution Vulnerability

Ordinary users often think that as long as they are downloaded from the formal channels of the application will not be exposed to security threats. However, this perception has become obsolete after 2015 years of explosive growth in security vulnerabilities in Android systems. In the case of Stagefright, an attacker who knows the mobile phone number of an attacker can proactively initiate a remote attack via MMS in a user-unaware state.

Stagefright is a core component of the Android multimedia framework that was introduced in Android 2.2 and became part of Android's default multimedia framework from Android 2.3. There are stagefright vulnerabilities on all versions prior to Android 5.1. Stagefright is a very complex system library that supports parsing of multiple multimedia file formats such as Mpeg4/mp3. As the core component of Android Multimedia framework, there are more than 11 attack vectors for Stagefright, including browser/mms and so on.

As the Stagefright library runs in the MediaServer process, an attacker who successfully exploits the Stagefright vulnerability can gain access to the mediaserver process, and further, the attacker may be able to bind other vulnerabilities to the root authority , thus completely controlling the attack object. In fact, from the PC era, complex file format parsing, like multimedia files, is the hardest hit of security vulnerabilities. Starting with the Stagefright vulnerability, 2015 disclosed a series of system security vulnerabilities related to multimedia file parsing, accounting for about 40% of all code execution vulnerabilities.

Multimedia file parsing related vulnerability is not the only high-risk remote attack vulnerability in 2015 years. In April 2015, Ali security researchers also discovered a buffer overflow vulnerability that existed in the Wpa_supplicant component and was named "WiFi Killer". When the Wi-Fi direct connection function is turned on, the attacker will be able to get execution rights on the user's phone by remotely sending malicious code without the user's knowledge, as long as it is within the reach of the WiFi on the phone.

WiFi killer vulnerabilities are widespread, and all wpa_supplicant components that are between versions 1.0 and 2.4 and that have the CONFIG_P2P option configured by default are affected. And as a user's daily use of an important function, many manufacturers in the factory default on the WLAN direct connection function, which also further increased the damage of WiFi killer.

2. local rights loopholes

From the 2013 Put_user loophole, to the common vulnerability used by Towelroot in 2014, to the pingpong loophole in 2015, it is almost every year that at least one "kill" all of the generic rights-based vulnerabilities of all Android models.

Pingpong is a power-up loophole in kernel, proposed by domestic security researchers, that affects all system versions after Android 4.3. In fact, the vulnerability code is also present in versions below Android 4.3. However, in previous versions of Android 4.3, the normal app was spared by not having permission to create the socket necessary to trigger the vulnerability.

It is worth mentioning that the evolution of the Android system as a whole is moving toward a more stringent authority control, and the Pingpong vulnerability related to the release of this permission is a few "counter-examples." Starting with Android version 4.3 (including to the latest Android 6.0), INIT.RC changed the value of/proc/sys/net/ipv4/ping_group_range, making this kernel configuration from the previous "1 0" into "0 2147483647 ".

Interestingly, the main purpose of this change is to implement a ping program that does not require privileges, essentially to strengthen the system's authority control, but in the end it creates conditions for the exploitation of the pingpong exploit. In contrast, some Linux desktop server distributions with the same vulnerability code, like versions prior to Android 4.3, were protected from pingpong vulnerabilities because they did not release the corresponding socket permissions.

Pingpong vulnerability is rooted in Linux kernel the right to exploit the vulnerability, its coverage is very wide. In addition, device drivers are also a common area in recent years prone to the right to raise loopholes. We also found a lot of such vulnerabilities in the process of reviewing a manufacturer's 2015 phone core. This type of vulnerability is also an important factor in recent years that has led to the Android system being "one key root".

On the other hand, since 2014, the user-State vulnerability of Android system has been the trend of a large number of researchers concerned. Take cve-2015-1528, an example of a system that security researchers have discovered and reported to Google that could allow an attacker to gain system privileges through this vulnerability.

Specifically, when the Graphicbuffer object accepts a specific cross-process instruction through binder, there is no validation of the validity of the instruction, resulting in an integer overflow vulnerability in the heap allocation. Thereafter, when you operate on this piece of memory, it causes heap memory to be compromised. Subject to the rights control of the Android system, this vulnerability needs to be reused over a period of three steps to finally power up to system permissions, as shown in.

Figure 13 The process of extracting rights to system permissions

The vulnerability was not the first on Android that resulted from the failure to detect a command parameter passed by Binder and disclosed a binder-related vulnerability in 2014. Due to the impact of user-State vulnerability mitigation technologies, these exploits are often more complex and require the use of ROP technologies. Currently, malware and one-click root tools mostly use the kernel vulnerability directly for power. However, with the continued narrowing of the Android system, the future Android system will require multiple vulnerabilities to complete the root of the power to work.

2.3 Android security ecosystem and Vulnerability outlook

Under Google's leadership, the Android system has kept pace with the fast-paced update. After the launch of Android 5.0 in late 2014, Android 6.0 was launched in September 2015, and the new Android system is more sophisticated in its access control and vulnerability mitigation technologies, which are positive for protecting end-user mobile phone security.

Specifically, Android has introduced selinux from version 4.3 as an important complement to the entire system's permissions control. On Android 4.3 is the permissive mode, just record violation of the rights control of the log, not really block violation of permission control operations. From Android 4.4, SELinux changed to enforce mode, the system partition removed the local program containing "s" bit bits, which also caused the root persistence tool to be forced to use daemon mode after version 4.4. On Android 5.0, the SELinux control of the permissions is further tightened, resulting in the root persistence tool having to patch SELinux policy after the system is booted to take effect. With the gradual popularization of 64-bit Android models, the new version of the Android system kernel integrated with the PXN feature [3], the code in the user-State address space can not be run in privileged mode, making the kernel vulnerability to the right to raise the difficulty greatly increased.

Figure 14 Permissions control for Android version

But the popularity of the new Android system has been slow compared to Apple's iOS system, with few users in the country who actually used Android 6.0 systems in 2015. This is largely related to the long chain of Android industry. After a new version of Android has been released, it needs to go through the adaptation work of chip vendors and end vendors to reach the users ' hands. Under the constraints of some objective factors (such as research and development cost constraints), users have to go through a long wait to get a new system push, some models are not even updated after release.

Figure Android Each system version of the user volume ratio

This situation has a great negative impact on the user's system security. On the one hand, users can not enjoy the new system more perfect security mechanism, more importantly, the system vulnerability of the delayed repair will allow users to long-term exposure to a dangerous, vulnerable state.

From a positive point of view, at present, some strong research and development companies at home and abroad can quickly respond to system vulnerabilities, timely release of updated version. Unfortunately, considering the huge number of smartphones in China, there are still a lot of users who are exposed directly to the danger.

In fact, the massive explosion of Android vulnerabilities in 2015, both absolute and growth, is expected to remain high in the 2016-year-old number of vulnerabilities in the Android system. The core reason for this is not that the Android system itself is getting worse, but that a large number of security personnel are looking at the Android system. In the long run, more and more researchers ' attention will inevitably improve the overall security of the system. In the short to medium term, however, the volume of system vulnerabilities and the inability of some users to get security updates in a timely manner also increases the security risks of the entire Android ecosystem.

Chapter III - years IOS System Vulnerability

2015 is destined to be an extraordinary year in the history of iOS security, in addition to the XcodeGhost events that occur at the application level, there have been many memorable events in terms of system security.

3.1, iOS System vulnerability Summary

2015 iOS System vulnerability to the outbreak of growth, the total number of holes in the year amounted to 654, up 128% yoy. Both in absolute terms and in terms of the rate of vulnerability growth, they ranked first in the 2009.

The increase in iOS vulnerability in 2015 was mainly due to the increasing number of researchers focusing on mobile security, and many previously overlooked system attacks were discovered and vulnerabilities were found and submitted to Apple for remediation. It is believed that the number of iOS system vulnerabilities in 2016 will remain at a high level.

Figure iOS System vulnerability number trends

In the iOS system vulnerability, denial of service, code execution, and information disclosure accounted for the highest ratio of 18%, 17%, and 16%, respectively.

Figure iOS System vulnerability category ratio

In 2015, in addition to the vulnerabilities associated with iOS jailbreak, the number of vulnerabilities in Apple's operating system increased much more than in previous years. In particular, the number of CVE (Common Vulnerability disclosures) exceeds that of many IT companies, so many media are beginning to criticize the security of Apple's systems. In fact, Apple is paying more attention to security issues than other vendors, and the vulnerabilities submitted by security researchers will be carefully reviewed to fix and help to report CVE. iOS users don't need to panic over the security of iOS, as long as they upgrade their iOS system to the latest version, they can defend against the vast majority of vulnerabilities. On the other hand, due to the layered security mechanism of Apple operating system, there are fewer vulnerabilities that can pose a direct threat to user security.

3.2. Typical iOS System vulnerability

iOS system vulnerability is mainly used for jailbreak, however, due to the security mechanism of Apple operating system, complete untethered jailbreak (perfect Jailbreak) needs multiple vulnerabilities, the typical jailbreak exploit process is: Sandbox escape complete file injection, signature bypass, Finally, the security mechanism to completely shut down iOS by using kernel bugs to complete kernel code modifications.

1. file Injection Vulnerability

Before you jailbreak, you need to inject a file into your iphone device by injecting a bug into your files. DDI (Developerdiskimage Race condition,by Comex) is widely used in several of the most perfect escapes. The vulnerability is mainly through the race condition, after checking the signature, before mounting, the normal DMG is replaced, thereby achieving the file injection. On the latest iOS 9 perfect jailbreak, a new file injection method was used to complete the file injection of any directory directly in the sandbox via IPC.

2. Sandbox arbitrary code execution Vulnerability

2015, the cve-2014-4492 Vulnerability details disclosed, its service side exists in the NETWORKD process, through the IPC to implement the sandbox and the process of communication, the service's communication processing function does not have the Xpc_data object type check, and then directly call xpc_data_get_ Bytes_pointer, by passing in other types of data obfuscation, and fake object constructs, can eventually control the PC and execute arbitrary code.

The vulnerability could be exploited in such a way that it benefited from two other weaknesses in the Apple system: the heap-created address is relatively fixed, allowing an attacker to create the attack content in a nearly accurate location through heap spary, and Dyld_share_libray_ The cache is the same as the image base of the different processes, allowing attackers to directly build an attack on the ROP Garget without having to taboo ASLR.

It is worth mentioning that such vulnerabilities can be triggered directly through the sandbox on non-jailbroken devices, which poses a great risk to users.

3. Kernel Vulnerabilities

The primary goal of the kernel vulnerability during jailbreak is to turn the exploit into a stable, arbitrary read and write capability, and then modify the kernel code to shut down the iOS security mechanism from the kernel.

Although the iOS kernel has a number of security mechanisms: SMAP, DEP, KASLR, only a few heap overflow vulnerabilities can be exploited independently and bypassed by these security mechanisms. The 2015 jailbreak exploits are of this type, but these vulnerabilities need to be triggered after the sandbox escape and signature bypass, which does not directly pose a security threat. The most recent kernel exploits of the perfect Jailbreak (ios7.1.2~ios9.0) were found in the open source driver module iohidfamily.

The cve-2014-4487 vulnerability for iOS8.1.2 jailbreak, which exists in iohidfamily-iohidlibuserclient, is a typical heap overflow vulnerability model: the ability to create a buffer of any size with Iomalloc, and released to any size of the Kalloc.zone (iOS kernel heap memory fast allocation mechanism). IOS Kalloc.zone Freelist is LIFO so that it is released to a size larger than the original kalloc.zone and then used to create a larger size Kalloc zone ool Mach MSG, so that it can be overwritten to a smaller size Kalloc.zone the elements of the original adjacent position to complete the conversion of the buffer overflow. The kernel is arbitrarily read by modifying the kdata of the vm_map_copy through buffer overflow iOS8. After acquiring the kernel KASLR image base, further convert the adjacent object into Iouserclient subclass rewrite Getexternaltrapforindex virtual function, and further convert to arbitrary read and write.

The cve-2015-6974 vulnerability for iOS9 jailbreak exists in iohidfamily-iohidlibuserclient, a typical UAF vulnerability where the pointer is not empty after releasing Ioservice subclass (C + + object). After releasing the object, the user state can also invoke the virtual function of the function through Iohidresourceuserclient, and can control the parameters. The heap Feng Shui is then created to release the address, further revealing the kernel base and control vtable find the right gadget to convert to any read and write capability.

Apple has done a lot to disrupt the heap overflow series: First shielding Mach_port_kobject (cve-2014-4496), Mach_port_space_info (cve-2015-3766), These two interfaces can be used to judge the boundary of page, and the stability of heap Feng shui will be affected by shielding. The Vm_map_copy object is then drastically modified in iOS9.0, making it more difficult to construct arbitrary size releases and arbitrary address reads. In addition, adding the KPP mechanism, in general, the kernel becomes more and more secure.

3.3. iOS Vulnerability Outlook

In 2015, as the IOS system continued to grow, and the XcodeGhost event was fermented, we could see that there were still a lot of ignored attack surfaces on the iOS system. For example, in the case of non-jailbreak, the sandbox can get root code execution permissions through the vulnerability, steal user privacy and other third-party data and so on.

We can boldly predict that 2016 iOS system security is destined to be an extraordinary year: there will be more iOS kernel exploits and iOS 9.2 and 9.3 jailbreak releases; Stagefright vulnerabilities like Android may also appear on iOS systems, and we may see more disclosures like "airdrop-eaque" attacks that allow attackers to send and install malicious apps on any device within a certain range.

But offense and defense is always relative, the new iOS 10 operating system will be introduced at the Apple Global developer conference in 2016, which will definitely bring a more robust security mechanism. Security researchers in the new year will certainly devote more effort to the study of iOS system security, I believe that in the "interaction" with Apple, the security of the iOS system will be a step further.

2015 mobile Security vulnerability Annual Report--Ali Poly Security