Mobile Threat Catalogue

Bypassing OS Private API Controls

Contribute

Threat Category: Malicious or privacy-invasive application

ID: APP-33

Threat Description: Mobile OS generally have two APIs - an external API that is available to public developers, and a private API that is restricted to the OS and built-in applications. Access control mechanisms implemented at the OS level may have vulnerabilities that allow 3rd party apps to successfully execute private API functions. Mobile OS app stores have since improved detection of a direct attempt by an app to call a private OS function.

Threat Origin

Symantec Internet Security Threat Report 2016 1

Exploit Examples

YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs 2

Jekyll on iOS: When Benign Apps Become Evil 3

CVE Examples

Possible Countermeasures

Enterprise

Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.

Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.

Use application threat intelligence data about potential data collection risks associated with apps installed on COPE or BYOD devices

Use app-vetting tools or services to identify apps that appear to abuse the OS API to gather sensitive data.

Mobile Device User

Use Android Verify Apps feature to identify apps that appear to abuse the OS API to gather sensitive data.

Mobile App Developer

To avoid inadvertent detection as a harmful app, review current developer documentation for the supporting OS and always use the recommended API calls to deliver app functionality.

References

  1. Internet Security Threat Report vol. 21, Symantec, 2016; https://docs.broadcom.com/doc/istr-16-april-volume-21-en [accessed 8/1/2022] 

  2. C. Xiao, “YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs,” blog, 25 Oct. 2015; http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ 

  3. T. Wang et al., “Jekyll on iOS: When Benign Apps Become Evil”, in Proceedings of the 22nd USENIX Security Symposium, 2013; www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_2.pdf [accessed 8/25/2016]