[IEEE 2012 19th Working Conference on Reverse Engineering (WCRE) - Kingston, ON, Canada (2012.10.15-2012.10.18)] 2012 19th Working Conference on Reverse Engineering - Reverse Engineering iOS Mobile Applications

Download [IEEE 2012 19th Working Conference on Reverse Engineering (WCRE) - Kingston, ON, Canada (2012.10.15-2012.10.18)] 2012 19th Working Conference on Reverse Engineering - Reverse Engineering iOS Mobile Applications

Post on 01-Feb-2017




3 download

Embed Size (px)


<ul><li><p>Reverse Engineering iOS Mobile Applications</p><p>Mona Erfani JoorabchiUniversity of British Columbia</p><p>Canadamerfani@ece.ubc.ca</p><p>Ali MesbahUniversity of British Columbia</p><p>Canadaamesbah@ece.ubc.ca</p><p>I. ABSTRACTAs a result of the ubiquity and popularity of smartphones,</p><p>the number of third party mobile applications is explosivelygrowing. With the increasing demands of users for newdependable applications, novel software engineering tech-niques and tools geared towards the mobile platform arerequired to support developers in their program compre-hension and analysis tasks. In this paper, we propose areverse engineering technique that automatically (1) hooksinto, dynamically runs, and analyzes a given iOS mobileapplication, (2) exercises its user interface to cover theinteraction state space and extracts information about theruntime behaviour, and (3) generates a state model of thegiven application, capturing the user interface states andtransitions between them. Our technique is implemented ina tool called ICRAWLER. To evaluate our technique, wehave conducted a case study using six open-source iPhoneapplications. The results indicate that ICRAWLER is capableof automatically detecting the unique states and generatinga correct model of a given mobile application.</p><p>Keywords-reverse engineering; mobile applications; iOS;model generation</p><p>II. INTRODUCTIONAccording to recent estimations [1], by 2015 over 70 per-</p><p>cent of all handset shipments will be smartphones, capableof running mobile applications.1 Currently, there are over600,000 mobile applications on Apples AppStore [2] andmore than 400,000 on Android Market [3].Some of the challenges involved in mobile application de-</p><p>velopment include handling different devices, multiple oper-ating systems (Android, Apple iOS, Windows Mobile), anddifferent programming languages (Java, Objective-C, VisualC++). Moreover, mobile applications are developed mostlyin small-scale, fast-paced projects to meet the competitivemarkets demand [4]. Given the plethora of different mobileapplications to choose from, users show low tolerance forbuggy unstable applications, which puts an indirect pressureon developers to comprehend and analyze the quality of theirapplications before deployment.</p><p>1There are two kinds of mobile applications: Native applications andWeb-based applications. Throughout this paper, mobile application refersto native mobile applications.</p><p>With the ever increasing demands of smartphone usersfor new applications, novel software engineering techniquesand tools geared towards the mobile platform are required[5], [6], [7] to support mobile developers in their programcomprehension, analysis and testing tasks [8], [9].According to a recent study [10], many developers interact</p><p>with the graphical user interface (GUI) to comprehend thesoftware by creating a mental model of the application. Fortraditional desktop applications, an average of 48% of theapplications code is devoted to GUI [11]. Because of theirhighly interactive nature, we believe the amount of GUI-related code is typically higher in mobile applications.To support mobile developers in their program com-</p><p>prehension and analysis tasks, we propose a technique toautomatically reverse engineer a given mobile applicationand generate a comprehensible model of the user interfacestates and transitions between them. In this paper, we focuson native mobile applications for the iOS platform. To thebest of our knowledge, reverse engineering of iOS mobileapplications has not been addressed in the literature yet.Our paper makes the following contributions: A technique that automatically performs dynamic anal-ysis of a given iPhone application by executing theprogram and extracting information about the runtimebehaviour. Our approach exercises the applicationsuser interface to cover the interaction state space;</p><p> A heuristic-based algorithm for recognizing a new userinterface state, composed of different UI elements andproperties.</p><p> A tool implementing our technique, called ICRAWLER(iPhone Crawler), capable of automatically navigatingand generating a state model of a given iPhone appli-cation. This generated model can assist mobile devel-opers to better comprehend and visualize their mobileapplication. It can also be used for analysis and testingpurposes (i.e., smoke testing, test case generation).</p><p> An evaluation of the technique through a case studyconducted on six different open-source iPhone appli-cations. The results of our empirical evaluation showthat ICRAWLER is able to identify the unique statesof a given iPhone application and generate its statemodel accurately, within the supported transitional UIelements.</p><p>2012 19th Working Conference on Reverse Engineering</p><p>1095-1350/91 $25.00 4891 IEEEDOI 10.1109/WCRE.2012.27</p><p>177</p></li><li><p>III. RELATED WORK</p><p>We divide the related work in three categories: mobileapplication security testing, industrial testing tools currentlyavailable to mobile developers, and GUI reverse engineeringand testing.Mobile Application Security Testing. Security testing</p><p>of mobile applications has gained most of the attentionfrom the research community when compared to otherareas of research such as functional testing, maintenance, orprogram comprehension. Most security testing approachesare based on static analysis of mobile applications [12] todetect mobile malware. Egele et al. [13] propose PIOS toperform static taint analysis on iOS application binaries.To automatically identify possible privacy gaps, the mobileapplication under test is disassembled and a control flowgraph is reconstructed from Objective-C binaries to findcode paths from sensitive sources to sinks. Extending onPIOS, the same authors discuss the challenges involvedin dynamic analysis of iOS applications and propose aprototype implementation of an Objective-C binary ana-lyzer [14]. Interestingly, to exercise the GUIs, they useimage processing techniques. This work is closest to ours.However, their approach randomly clicks on an screen areaand reads the contents from the devices frame buffer andapplies image processing techniques to compare screenshotsand identify interactive elements. Since image comparisontechniques are known to have a high rate of false positives,in our approach we programatically detect state changesby using a heuristic-based approach.Industrial Testing Tools. Most industrial tools and tech-</p><p>niques currently available for analyzing mobile applicationsare manual or specific to the application in a way that theyrequire knowledge of the source code and structure of theapplication. For instance, KIF (Keep It Functional) [15] is anopen source iOS integration test framework, which uses theassigned accessibility labels of objects to interact with the UIelements. The test runner is composed of a list of scenariosand each scenario is composed of a list of steps. Othersimilar frameworks are FRANK [16] and INSTRUMENTS[17]. A visual technology, called SIKULI [18], uses fuzzyimage matching algorithms on the screenshots to determinethe positions of GUI elements, such as buttons, in orderto find the best matching occurrence of an image of theGUI element in the screen image. SIKULI creates keyboardand mouse click events at that position to interact with theelement. There are also record and playback tools for mobileapplications such as MONKEYTALK [19]. However, usingsuch tools requires application-specific knowledge and muchmanual effort.GUI Reverse Engineering and Testing. Reverse</p><p>engineering of desktop user interfaces was first proposedby Memon et al. in a technique called GUI Ripping [20].Their technique starts at the main window of a given</p><p>desktop application, automatically detects all GUI widgetsand analyzes the application by executing those elements.Their tool, called GUITAR, generates an event-flow graph tocapture a model of the applications behaviour and generatetest-cases.For web applications, Mesbah et al. [21] propose a</p><p>crawling-based technique to reverse engineer the naviga-tional structure and paths of a web application under test.The approach, called CRAWLJAX, automatically builds amodel of the applications GUI by detecting the clickableelements, exercising them, and comparing the DOM statesbefore and after the event executions. The technique is usedfor automated test case generation [22] and maintenanceanalysis [23] in web applications.Amalfitano et al. [24] extend on this approach and propose</p><p>a GUI crawling technique for Android applications. Theirprototype tool, called A2T2, manages to extract models ofa small subset of widgets of an Android application.Gimblett et al. [25] present a generic description of UI</p><p>model discovery, in which a model of an interactive soft-ware is automatically discovered through simulating its useractions. Specifically they describe a reusable and abstractAPI for user interface discovery.Further, Chang et al. [26] build on SIKULI, the afore-</p><p>mentioned tool, to automate GUI testing. They help GUItesters automate regression testing by programming testcases once and repeatedly applying those test cases to checkthe integrity of the GUI.Hu et al. [27] propose a technique for detecting GUI bugs</p><p>for Android applications using Monkey [28], an automaticevent generation tool. Their technique automatically gener-ates test cases, feeds the application with random events,instruments the VM, and produces log/trace files to detecterrors by analyzing them post-run.To the best of our knowledge, no work has been done</p><p>so far to reverse engineer Objective-C iPhone applicationsautomatically. Our approach and algorithms are differentfrom the aforementioned related work in the way we trackthe navigation within the application, retrieve the UI viewsand elements, and recognize a new state, which are gearedtowards native iPhone user interfaces.</p><p>IV. BACKGROUND AND CHALLENGES</p><p>Here, we briefly describe the relevant iPhone program-ming concepts [17] required for understanding our approachin Section V.Objective-C is the primary programming language used</p><p>to write native iOS applications. The language adds a thinlayer of object-oriented and Smalltalk-style messaging to theC programming language. Apple provides a set of Objective-C APIs collectively called Cocoa. Cocoa Touch is a UIframework on top of Cocoa. One of the main frameworks ofCocoa Touch is UIKit, which provides APIs to developeiOS user interfaces.</p><p>178</p></li><li><p>Figure 1: The Olympics2012 iPhone application goingthrough a UI state transition, after a generated event.</p><p>The Model-View-Controller design pattern is used forbuilding iOS applications. In this model, the controller isa set of view controllers as well as the UIApplicationobject, which receives events from the system and dispatchesthem to other parts of the system for handling. As soonas an application is launched, the UIApplication mainfunction creates a singleton application delegate objectthat takes control. The application delegate object can beaccessed by invoking the shared application class methodfrom anywhere in code.At a minimum, a window object and a view object</p><p>are required for presenting the applications content. Thewindow provides the area for displaying the content andis loaded from the main nib file.2 Standard UI elements,which are provided by the UIKit framework for presentingdifferent types of content, such as labels, buttons, tables, andtext fields are inherited from the UIView class. Views drawcontent in a designated rectangular area and handle events.Events are objects sent to an application to inform it of</p><p>user actions. Many classes in UIKit handle touch eventsin ways that are distinctive to objects of the class. Theapplication sends these events to the view on which the touchoccurred. That view analyzes the events and responds in anappropriate manner. For example, buttons and sliders areresponsive to gestures such as a tap or a drag while scrollviews provide scrolling behaviour for tables or text views.When the system delivers a touch event, it sends an actionmessage to a target object when that gesture occurs.View controllers are used to change the UI state</p><p>of an application. A view controller is responsiblefor handling the creation and destruction of itsviews, and the interactions between the viewsand other objects in the application. The UIKitframework includes classes for view controllers such as</p><p>2A nib file is a special type of resource file to store the UI elements in.</p><p>TabBarItemclicked</p><p>gotoArchery</p><p>gotoCycling1</p><p>gotoCycling2</p><p>gotoCycling3</p><p>gotoCycling4</p><p>gotoDiving</p><p>gotoEquestrian1</p><p>gotoEquestrian2</p><p>gotoEquestrian3</p><p>gotoFencing</p><p>gotoFootball</p><p>gotoArchery</p><p>gotoGymnastics1</p><p>gotoGymnastics2</p><p>gotoGymnastics3</p><p>gotoHandball</p><p>gotoHockey</p><p>gotoJudo</p><p>gotoRowing</p><p>gotoSailing</p><p>gotoShooting</p><p>gotoSwimming</p><p>gotoAthletics</p><p>gotoSynchronisedSwimming</p><p>gotoTableTennis</p><p>gotoTaekwondo</p><p>gotoTennis</p><p>gotoTriathlon</p><p>gotoVolleyball</p><p>gotoWaterPolo</p><p>gotoWeightlifting</p><p>gotoWrestling</p><p>gotoBadminton</p><p>gotoBasketball</p><p>gotoBeach</p><p>gotoBoxing</p><p>gotoCanoe1</p><p>gotoCanoe2</p><p> TabBarItemclicked </p><p>Back</p><p> TabBarItemclicked TabBarItemclicked </p><p>Figure 2: The generated state graph of the Olympics2012iPhone application.</p><p>UITabBarController, UITableViewControllerand UINavigationController. Because iOSapplications have a limited amount of space in whichto display content, view controllers also provide theinfrastructure needed to swap out the views from one viewcontroller and replace them with the views of anotherview controller. The most common relationships betweensource and destination view controllers in an iPhoneapplication are either by using a navigation controller, inwhich a child of a navigation controller pushes anotherchild onto the navigation stack, or by presenting a viewcontroller modally. The navigation controller is an instanceof the UINavigationController class and used forstructured content applications to navigate between differentlevels of content in order to show a screen flow, whereasthe modal view controllers represent an interruption to thecurrent workflow.Challenges. Dynamic analysis of iOS applications has</p><p>a number of challenges. Most iOS applications are heavilybased on event-driven graphical user interfaces. Simplylaunching an application will not be sufficient to infer aproper understating of the applications runtime behaviour[14]. Unfortunately, most iOS applications currently do notcome with high coverage test suites. Therefore, to execute awide range of paths and reverse engineer a representativemodel, an approach targeting iOS applications needs tobe able to automatically change the applications state andanalyze state changes.One challenge that follows is defining and detecting a new</p><p>state of an application while executing and changing its UI.In other words, automatically determining whether a statechange has occurred is not that straight forward.Another challenge, associated with tracking view con-</p><p>trollers, revolves around the fact that firing an event on theUI could result in several different scenarios as far as the UI</p><p>179</p></li><li><p>is concerned, namely, (1) the current view controller cou...</p></li></ul>