An Empirical Study of SDK Credential Misuse in iOS Apps

Abstract

During the development of web-based mobile apps, third-party SDKs (Software Development Kit) are frequently used to facilitate the integration of certain functionality such as push notification and mobile payment. Unfortunately, security issues are often considered as a second-tier problem and app developers are prone to implement apps with SDK misuses. Among those typical SDK misuses, the misuse of credentials is the one that introduces serious security threats. A credential is a set of unique information (e.g., APP ID, App Token, etc) allocated to a specific developer to help app authenticate the identity. However, if not properly used, the credential can be easily obtained by attackers and leads to not only the leak of confidential information of mobile developers but also direct threats to the privacy of end users. To investigate the SDK credential misuse issue on iOS platform, in this paper we conduct an empirical study against 100 popular iOS apps using two popular mobile SDKs (each SDK are widely used by at least 40 million users). We implemented iCredFinder, an automated analysis tool to search credential misuses in those apps and our experiment demonstrates 68 apps contain at least one misuse case. Our study demonstrates the severity of credential misuse on iOS platform: even for those well-developed SDKs and apps, credentials are not well protected and can be easily discovered. We expect that our study could help developers fix those flaws and promote better implementations.