The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning
Authors: 
Zihao Wang, Jiale Guan, XiaoFeng Wang, Wenhao Wang, Luyi Xing, Fares AlharbiAuthors Info & Claims
Zihao Wang, Jiale Guan, XiaoFeng Wang, Wenhao Wang, Luyi Xing, Fares AlharbiAuthors Info & ClaimsPages 281 - 295
Abstract
Research on side-channel leaks has long been focusing on the information exposure from a single channel (memory, network traffic, power, etc.). Less studied is the risk of learning from multiple side channels related to a target activity (e.g., website visits) even when individual channels are not informative enough for an effective attack. Although the prior research made the first step on this direction, inferring the operations of foreground apps on iOS from a set of global statistics, still less clear are how to determine the maximum information leaks from all target-related side channels on a system, what can be learnt about the target from such leaks and most importantly, how to control information leaks from the whole system, not just from an individual channel.
To answer these fundamental questions, we performed the first systematic study on multi-channel inference, focusing on iOS as the first step. Our research is based upon a novel attack technique, called Mischief, which given a set of potential side channels related to a target activity (e.g., foreground apps), utilizes probabilistic search to approximate an optimal subset of the channels exposing most information, as measured by Merit Score, a metric for correlation-based feature selection. On such an optimal subset, an inference attack is modeled as a multivariate time series classification problem, so the state-of-the-art deep-learning based solution, InceptionTime in particular, can be applied to achieve the best possible outcome. Mischief is found to work effectively on today's iOS (16.2), identifying foreground apps, website visits, sensitive IoT operations (e.g., opening the door) with a high confidence, even in an open-world scenario, which demonstrates that the protection Apple puts in place against the known attack is inadequate. Also importantly, this new understanding enables us to develop more comprehensive protection, which could elevate today's side-channel research from suppressing leaks from individual channels to controlling information exposure across the whole system.
References
[1]
2017. CVE-2017-13852. Available from MITRE, CVE-ID CVE-2017-13852. http: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13852
[2]
2017. CVE-2017-13873. Available from MITRE, CVE-ID CVE-2017-13873. http: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13873
[3]
2022. App Store Review Guidelines. Retrieved Dec 30, 2022 from https://developer. apple.com/app-store/review/guidelines/
[4]
2022. Radare. Retrieved Dec 30, 2022 from https://www.radare.org/r/
[5]
S Abhishek Anand, Chen Wang, Jian Liu, Nitesh Saxena, and Yingying Chen. 2021. Spearphone: a lightweight speech privacy exploit via accelerometer-sensed reverberations from smartphone loudspeakers. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 288--299.
[6]
Zhongjie Ba, Tianhang Zheng, Xinyu Zhang, Zhan Qin, Baochun Li, Xue Liu, and Kui Ren. 2020. Learning-based Practical Smartphone Eavesdropping with Built-in Accelerometer. In NDSS.
[7]
Anthony J. Bagnall, Jason Lines, Jon Hills, and Aaron Bostrom. 2015. Time-Series Classification with COTE: The Collective of Transformation-Based Ensembles. IEEE Trans. Knowl. Data Eng., Vol. 27, 9 (2015), 2522--2535. https://doi.org/10.1109/TKDE.2015.2416723
[8]
Drew Branch. 2017. Debugging iOS Applications: A Guide to Debug Other Developers' Apps.
[9]
Robert Brotzman, Danfeng Zhang, Mahmut T. Kandemir, and Gang Tan. 2021. Ghost Thread: Effective User-Space Cache Side Channel Protection. In CODASPY '21: Eleventh ACM Conference on Data and Application Security and Privacy, Virtual Event, USA, April 26--28, 2021. 233--244. https://doi.org/10.1145/3422337.3447846
[10]
Qi Alfred Chen, Zhiyun Qian, and Zhuoqing Morley Mao. 2014. Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014. 1037--1052.
[11]
Yimin Chen, Xiaocong Jin, Jingchao Sun, Rui Zhang, and Yanchao Zhang. 2017. POWERFUL: Mobile app fingerprinting via power analysis. IEEE INFOCOM 2017 - IEEE Conference on Computer Communications (2017), 1--9.
[12]
Jack Cook, Jules Drean, Jonathan Behrens, and Mengjia Yan. 2022. There's always a bigger fish: a clarifying analysis of a machine-learning-assisted side-channel attack. In ISCA '22: The 49th Annual International Symposium on Computer Architecture, New York, New York, USA, June 18 - 22, 2022. 204--217. https://doi.org/10.1145/3470496.3527416
[13]
Hoang Anh Dau, Anthony J. Bagnall, Kaveh Kamgar, Chin-Chia Michael Yeh, Yan Zhu, Shaghayegh Gharghabi, Chotirat Ann Ratanamahatana, and Eamonn J. Keogh. 2019. The UCR time series archive. IEEE CAA J. Autom. Sinica, Vol. 6, 6 (2019), 1293--1305. https://doi.org/10.1109/jas.2019.1911747
[14]
Christina Delimitrou and Christos Kozyrakis. 2017. Bolt: I Know What You Did Last Summer... In The Cloud. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi'an, China, April 8-12, 2017. 599--613. https://doi.org/10.1145/3037697.3037703
[15]
Angus Dempster, Francc ois Petitjean, and Geoffrey I. Webb. 2020a. ROCKET: exceptionally fast and accurate time series classification using random convolutional kernels. Data Min. Knowl. Discov., Vol. 34, 5 (2020), 1454--1495. https://doi.org/10.1007/s10618-020-00701-z
[16]
Angus Dempster, Daniel F. Schmidt, and Geoffrey I. Webb. 2020b. MINIROCKET: A Very Fast (Almost) Deterministic Transform for Time Series Classification. CoRR, Vol. abs/2012.08791 (2020). showeprint[arXiv]2012.08791
[17]
Wenrui Diao, Xiangyu Liu, Zhou Li, and Kehuan Zhang. 2016a. No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. 414--432. https://doi.org/10.1109/SP.2016.32
[18]
Wenrui Diao, Xiangyu Liu, Zhou Li, and Kehuan Zhang. 2016b. No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis. 2016 IEEE Symposium on Security and Privacy (SP) (2016), 414--432.
[19]
M. Abdelaziz Elaabid, Olivier Meynard, Sylvain Guilley, and Jean-Luc Danger. 2010. Combined Side-Channel Attacks. In Information Security Applications - 11th International Workshop, WISA 2010, Jeju Island, Korea, August 24-26, 2010, Revised Selected Papers. 175--190. https://doi.org/10.1007/978-3-642-17955-6_13
[20]
Michael D. Ernst, Jeff H. Perkins, Philip J. Guo, Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. 2007. The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program., Vol. 69, 1--3 (2007), 35--45. https://doi.org/10.1016/j.scico.2007.01.015
[21]
Hassan Ismail Fawaz, Benjamin Lucas, Germain Forestier, Charlotte Pelletier, Daniel F. Schmidt, Jonathan Weber, Geoffrey I. Webb, Lhassane Idoumghar, Pierre-Alain Muller, and Francc ois Petitjean. 2020. InceptionTime: Finding AlexNet for time series classification. Data Min. Knowl. Discov., Vol. 34, 6 (2020), 1936--1962. https://doi.org/10.1007/s10618-020-00710-y
[22]
Yansong Gao, Jianrong Yao, Lihui Pang, Wei Yang, Anmin Fu, Said F. Al-Sarawi, and Derek Abbott. 2022. MLMSA: Multi-Label Multi-Side-Channel-Information enabled Deep Learning Attacks on APUF Variants. CoRR, Vol. abs/2207.09744 (2022). https://doi.org/10.48550/arXiv.2207.09744 [arXiv]2207.09744
[23]
Daniel Genkin, Lev Pachmanov, Itamar Pipman, Eran Tromer, and Yuval Yarom. 2016. ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. 1626--1638. https://doi.org/10.1145/2976749.2978353
[24]
Mark A. Hall and Lloyd A. Smith. 1999. Feature Selection for Machine Learning: Comparing a Correlation-Based Filter Approach to the Wrapper. In Proceedings of the Twelfth International Florida Artificial Intelligence Research Society Conference, May 1-5, 1999, Orlando, Florida, USA. 235--239.
[25]
Suman Jana and Vitaly Shmatikov. 2012. Memento: Learning Secrets from Process Footprints. In IEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA. 143--157. https://doi.org/10.1109/SP.2012.19
[26]
Chia-Chi Lin, Hongyang Li, Xiao-yong Zhou, and XiaoFeng Wang. 2014. Screenmilker: How to Milk Your Android Screen for Secrets. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014.
[27]
Jason Lines, Sarah Taylor, and Anthony J. Bagnall. 2016. HIVE-COTE: The Hierarchical Vote Collective of Transformation-Based Ensembles for Time Series Classification. In IEEE 16th International Conference on Data Mining, ICDM 2016, December 12-15, 2016, Barcelona, Spain. 1041--1046. https://doi.org/10.1109/ICDM.2016.0133
[28]
Moritz Lipp, Daniel Gruss, Michael Schwarz, David Bidner, Clémentine Maurice, and Stefan Mangard. 2017. Practical Keystroke Timing Attacks in Sandboxed JavaScript. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II. 191--209. https://doi.org/10.1007/978-3-319-66399-9_11
[29]
Oleksiy Lisovets, David Knichel, Thorben Moos, and Amir Moradi. 2021. Let's Take it Offline: Boosting Brute-Force Attacks on iPhone's User Authentication through SCA. IACR Trans. Cryptogr. Hardw. Embed. Syst., Vol. 2021, 3 (2021), 496--519. https://doi.org/10.46586/tches.v2021.i3.496--519
[30]
Wei Liu, Youwei Zhang, Yonghe Tang, Huanwei Wang, and Qiang Wei. 2023. ALScA: A Framework for Using Auxiliary Learning Side-Channel Attacks to Model PUFs. IEEE Trans. Inf. Forensics Secur., Vol. 18 (2023), 804--817. https://doi.org/10.1109/TIFS.2022.3227445
[31]
Benjamin Lucas, Ahmed Shifaz, Charlotte Pelletier, Lachlan O'Neill, Nayyar Abbas Zaidi, Bart Goethals, Francc ois Petitjean, and Geoffrey I. Webb. 2019. Proximity Forest: an effective and scalable distance-based classifier for time series. Data Min. Knowl. Discov., Vol. 33, 3 (2019), 607--635. https://doi.org/10.1007/s10618-019-00617-3
[32]
Yan Michalevsky, Aaron Schulman, Gunaa Arumugam Veerapandian, Dan Boneh, and Gabi Nakibly. 2015. PowerSpy: Location Tracking Using Mobile Device Power Analysis. ArXiv, Vol. abs/1502.03182 (2015).
[33]
George A Miller. 1995. WordNet: a lexical database for English. Commun. ACM, Vol. 38, 11 (1995), 39--41.
[34]
Xuan Vinh Nguyen, Julien Epps, and James Bailey. 2010. Information Theoretic Measures for Clusterings Comparison: Variants, Properties, Normalization and Correction for Chance. J. Mach. Learn. Res., Vol. 11 (2010), 2837--2854. https://doi.org/10.5555/1756006.1953024
[35]
Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. 2015. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015. 1406--1418. https://doi.org/10.1145/2810103.2813708
[36]
Alejandro Pasos Ruiz, Michael Flynn, James Large, Matthew Middlehurst, and Anthony J. Bagnall. 2021. The great multivariate time series classification bake off: a review and experimental evaluation of recent algorithmic advances. Data Min. Knowl. Discov., Vol. 35, 2 (2021), 401--449. https://doi.org/10.1007/s10618-020-00727-3
[37]
Walter J. Scheirer, Anderson de Rezende Rocha, Archana Sapkota, and Terrance E. Boult. 2013. Toward Open Set Recognition. IEEE Trans. Pattern Anal. Mach. Intell., Vol. 35, 7 (2013), 1757--1772. https://doi.org/10.1109/TPAMI.2012.256
[38]
Michael Schwarz, Moritz Lipp, Daniel Gruss, Samuel Weiser, Clé mentine Maurice, Raphael Spreitzer, and Stefan Mangard. 2018. KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2019.
[39]
Claude E. Shannon. 1948. A mathematical theory of communication. Bell Syst. Tech. J., Vol. 27, 3 (1948), 379--423. https://doi.org/10.1002/j.1538--7305.1948.tb01338.x
[40]
Ahmed Shifaz, Charlotte Pelletier, Francc ois Petitjean, and Geoffrey I. Webb. 2020. TS-CHIEF: a scalable and accurate forest algorithm for time series classification. Data Min. Knowl. Discov., Vol. 34, 3 (2020), 742--775. https://doi.org/10.1007/s10618-020-00679-8
[41]
Connor Shorten and Taghi M. Khoshgoftaar. 2019. A survey on Image Data Augmentation for Deep Learning. J. Big Data, Vol. 6 (2019), 60. https://doi.org/10.1186/s40537-019-0197-0
[42]
Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, and Yuval Yarom. 2019. Robust Website Fingerprinting Through the Cache Occupancy Channel. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019. 639--656.
[43]
Raphael Spreitzer, Felix Kirchengast, Daniel Gruss, and Stefan Mangard. 2018. ProcHarvester: Fully Automated Analysis of Procfs Side-Channel Leaks on Android. Proceedings of the 2018 on Asia Conference on Computer and Communications Security (2018).
[44]
Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott E. Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2015. Going deeper with convolutions. In IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2015, Boston, MA, USA, June 7-12, 2015. 1--9. https://doi.org/10.1109/CVPR.2015.7298594
[45]
Chang Wei Tan, Angus Dempster, Christoph Bergmeir, and Geoffrey I. Webb. 2022. MultiRocket: multiple pooling operators and transformations for fast and effective time series classification. Data Min. Knowl. Discov., Vol. 36, 5 (2022), 1623--1646. https://doi.org/10.1007/s10618-022-00844-1
[46]
Shruti Tople and Prateek Saxena. 2017. On the Trade-Offs in Oblivious Execution Techniques. In Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, Bonn, Germany, July 6-7, 2017, Proceedings. 25--47. https://doi.org/10.1007/978-3-319-60876-1_2
[47]
Qingsong Wen, Liang Sun, Fan Yang, Xiaomin Song, Jingkun Gao, Xue Wang, and Huan Xu. 2021. Time Series Data Augmentation for Deep Learning: A Survey. In Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI 2021, Virtual Event / Montreal, Canada, 19-27 August 2021. 4653--4660. https://doi.org/10.24963/ijcai.2021/631
[48]
Qiuyu Xiao, Michael K. Reiter, and Yinqian Zhang. 2015. Mitigating Storage Side Channels Using Statistical Privacy Mechanisms. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015. 1582--1594. https://doi.org/10.1145/2810103.2813645
[49]
Jiadi Yu, Li Lu, Yingying Chen, Yanmin Zhu, and L. Kong. 2021. An Indirect Eavesdropping Attack of Keystrokes on Touch Screen through Acoustic Sensing. IEEE Transactions on Mobile Computing, Vol. 20 (2021), 337--351.
[50]
Kehuan Zhang and XiaoFeng Wang. 2009. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. In 18th USENIX Security Symposium, Montreal, Canada, August 10-14, 2009, Proceedings. 17--32.
[51]
Li Zhang, Parth H Pathak, Muchen Wu, Yixin Zhao, and Prasant Mohapatra. 2015a. Accelword: Energy efficient hotword detection through accelerometer. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services. 301--315.
[52]
Nan Zhang, Kan Yuan, Muhammad Naveed, Xiao yong Zhou, and Xiaofeng Wang. 2015b. Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android. 2015 IEEE Symposium on Security and Privacy (2015), 915--930.
[53]
Xiaokuan Zhang, Xueqiang Wang, Xiaolong Bai, Yinqian Zhang, and XiaoFeng Wang. 2018. OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2019.
[54]
Man Zhou, Qian Wang, Jingxiao Yang, Qi Li, Feng Xiao, Zhibo Wang, and Xiaofeng Chen. 2018. PatternListener: Cracking Android Pattern Lock Using Acoustic Signals. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018).
[55]
Xiao-yong Zhou, Soteris Demetriou, Dongjing He, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, Carl A. Gunter, and Klara Nahrstedt. 2013. Identity, location, disease and more: inferring your secrets from android public resources. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4-8, 2013. 1017--1028.
Index Terms
- The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning
Recommendations
Cross-Compiling Android Applications to iOS and Windows Phone 7
Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses
MSR '24: Proceedings of the 21st International Conference on Mining Software RepositoriesFor years, researchers have been analyzing mobile Android apps to investigate diverse properties such as software engineering practices, business models, security, privacy, or usability, as well as differences between marketplaces. While similar studies ...
Same app, different app stores: a comparative study
MOBILESoft '17: Proceedings of the 4th International Conference on Mobile Software Engineering and SystemsTo attract more users, implementing the same mobile app for different platforms has become a common industry practice. App stores provide a unique channel for users to share feedback on the acquired apps through ratings and textual reviews. However, ...
Comments
Information & Contributors
Information
Published In
November 2023
3722 pages
ISBN:9798400700507
DOI:10.1145/3576915
- General Chairs:
- Weizhi Meng,
- Christian D. Jensen,
- Program Chairs:
- Cas Cremers,
- Engin Kirda
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Science Foundation
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26 - 30, 2023
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 366Total Downloads
- Downloads (Last 12 months)366
- Downloads (Last 6 weeks)19
Reflects downloads up to 10 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in