In the past, malicious apps attacked routers or identified locations through local network communication. To mitigate security and privacy risks from local network access, Apple introduced a new permission with iOS 14. To be effective, the permission needs to protect against technical threats, and users must be able to make an informed permission decision. The latter is presumably hindered by the intrinsic technicality of the concept of the local network. In this paper, we perform the first comprehensive analysis of the local network permission by studying four key aspects. We investigate the security of its implementation by systematically accessing the local network. We explore local network accesses via a large-scale dynamic analysis of 10,862 iOS and Android apps. We analyze the concepts that constitute the permission prompts, as this is all the information users get before making a decision. Based on the identified concepts, we conduct an online survey (N=150) to comprehend users' understanding of the permission, their threat awareness, and common misconceptions. Our work reveals two methods to bypass the permission from webviews, and that the protected local network addresses are insufficient. We show how and when apps access the local network, and how the situation differs between iOS and Android. Finally, we present the light and shadow of users' understanding of the permission. While nearly every participant is aware of at least one threat (83.11%), misconceptions are even more common (84.46%).

Irrespective of the security and isolation guarantees offered by the mobile operating system, the Mobile Application Security Verification Standard (MASVS) recommends app developers to implement hardening techniques for self-protection—to prevent tampering and leakage, detect jailbreaks, etc. Despite regulations incentivize developers toward implementing self-protection, our understanding of the use of hardening techniques is still very limited—especially regarding differences, if any, between the two main mobile ecosystems. In this paper, we systematize knowledge on the use and analysis of hardening techniques, covering, for the first time, both Android and iOS apps.To this end, we present HALY, a framework to analyze the adoption of hardening techniques. Using HALY’s static and dynamic analysis, we analyze 2,646 popular apps available on both Android and iOS, and measure the prevalence of hardening techniques. Contrary to expectation, apps on iOS underperform in self-protection, implementing only half of the recommended hardening techniques compared to their Android counterparts—challenging the long-held belief that iOS is simply “more secure.” Equally surprising, while privacy-sensitive apps implement more self-protection, many apps implement hardening techniques on only one of the two OSes. Furthermore, as many common techniques are easy to individually bypass, the additional security is questionable. Overall, almost all apps implement some hardening techniques, but as many as 24.1% (Android) and 73.6% (iOS) implement fewer than half of the recommended ones, and we only found 26 apps on Android to implement all eight and only one app on iOS adopt all seven analyzed techniques.

For years, researchers have been analyzing mobile Android apps to investigate diverse properties such as software engineering practices, business models, security, privacy, or usability, as well as differences between marketplaces. While similar studies on iOS have been limited, recent work has started to analyze and compare Android apps with those for iOS. To obtain the most representative analysis results across platforms, the ideal approach is to compare their characteristics and behavior for the same set of apps, e. g., to study a set of apps for iOS and their respective counterparts for Android. Previous work has only attempted to identify and evaluate such cross-platform apps to a limited degree, mostly comparing sets of apps independently drawn from app stores, manually matching small sets of apps, or relying on brittle matches based on app and developer names. This results in (1) comparing apps whose behavior and properties significantly differ, (2) limited scalability, and (3) the risk of matching only a small fraction of apps. In this work, we propose a novel approach to create an extensive dataset of cross-platform apps for the iOS and Android ecosystems. We describe an analysis pipeline for discovering, retrieving, and matching apps from the Apple App Store and Google Play Store that we used to create a set of 3,322 cross-platform apps out of 10,000 popular apps for iOS and Android, respectively. We evaluate existing and new approaches for cross-platform app matching against a set of reference pairs that we obtained from Google's data migration service. We identify a combination of seven features from app store metadata and the apps themselves to match iOS and Android apps with high confidence (95.82 %). Compared to previous attempts that identified 14 % of apps as cross-platform, we are able to match 34 % of apps in our dataset. To foster future research in the cross-platform analysis of mobile apps, we make our pipeline available to the community.

Bridge the Gap is a trend that aims to allow web browsers to start smartphone apps on a mobile device. This is achieved by so-called Deep Links, which enable direct linking to specific in-app resources. However, the resulting fusion of the web and native apps also introduces new attack vectors. There are numerous studies on security and privacy concerns of Deep Links on the open-source operating system Android, showing that these are prone to threats such as hijacking. The proprietary operating system iOS has a similar implementation of deep linking mechanisms to Android. However, there are not many publications on this matter, possibly due to the unavailability of iOS’ source code. In this thesis, we investigate the security of mobile Deep Links. First, we present known attack scenarios for Android with regards to Custom Schemes and App Links. Then, we consider the applicability of these attack vectors to deep linking mechanisms on iOS. Therefore, we develop vulnerable apps implementing discussed security issues, analyze whether an attacker could abuse them, and what security and privacy implications this has. Next, we compare our results to the corresponding mechanisms and security concerns of Android. Finally, to gain an insight into the actual security implications of the presented attack vectors, we analyze the distribution of Deep Links in the wild, based on a dataset containing over 11,000 iOS apps from the official Apple App Store.