iOS Privacy Manifest: Empowering Data Privacy Evaluation

Staying informed about how apps collect and use your data is crucial in digital privacy. Addressing this, Appicaptor finds privacy-related app issues and extracts contents of the iOS Privacy Manifest. All information is correlated with results from static and dynamic analysis to provide enhanced privacy insights.

In today’s interconnected digital landscape concerns related to data privacy are in focus. App developers, platform providers and smartphone OS manufacturers face pressure to prioritize user privacy and transparency. In response to these concerns Apple has introduced an initiative: the iOS Privacy Manifest. This feature serves as a documentation how apps access, utilize and transmit privacy-related data. Appicaptor uses the information from the iOS Privacy Manifest, enabling users and companies to make well-informed decisions.

Understanding the iOS Privacy Manifest

iOS Privacy Manifests are attached to the app’s binary as property list (plist) and hold information regarding the collection and usage of privacy-related data by the app and included third-party SDKs. Not providing valid information within the iOS Privacy Manifest may lead to notifications or rejection throughout the app submission process. Strict enforcement in the App Store is scheduled starting in May 2024.

Privacy Manifest Components

When it comes to populating a iOS Privacy Manifest, there are several key data structures that developers must adhere to:

  • Required Reason APIs:  Apple introduced a class of APIs referred to as Required Reason APIs to address concerns regarding fingerprinting. Any app or SDK utilizing an API from this list must explicitly state a valid purpose for their usage.
  • Data Usage Categories: Developers must provide a breakdown of data usage categories in their privacy manifests. This includes specifying the data collected, whether it’s linked to end-users’ identities, its usage for tracking purposes, and a list of reasons justifying. Apple provides a predefined set of purposes that developers have to reference.
  • External Domain Usage: All external tracking domains used in the app or third-party SDKs must be listed in the iOS Privacy Manifest. This provides users with clear visibility into the presence of all domains utilized for tracking purposes. When tracking permission (via the App Tracking Transparency framework) is not granted by the user, network requests to these domains will be blocked by iOS.

Appicaptor: iOS Privacy Manifest as additional App Evaluation Source

Appicaptor extracts the contents of the iOS Privacy Manifest and presents them in human-readable format. But beyond that, Appicaptor correlates the manifest’s content with privacy-related findings discovered from the app binary through static analysis. Therefore, Appicaptor offers users a comprehensive understanding of how their privacy-related data is handled by the apps:

  • Privacy Transparency: By presenting the iOS Privacy Manifest contents in a human-readable format, Appicaptor users gain transparency into the app’s data collection practices.
  • Informed Decision-Making Elevated: Armed with in-depth understanding of an app’s privacy practices, Appicaptor users can make informed decisions about whether to engage with the app. Correlation of the manifest contents with static analysis findings in coordination with Appicaptor’s ability to define custom rulesets empowers companies to assess the privacy risks associated with using the app to make choices aligned with their privacy preferences and concerns.
  • Enhanced Privacy Insights: Appicaptor’s static analysis enables an examination of the app’s codebase, revealing privacy insights in addition to what is disclosed in the iOS Privacy Manifest. By correlating these findings, users gain a more granular understanding of how their data is collected, used, and shared by the app.
  • Accountability and Trust Building: Appicaptor’s evaluation reports promotes accountability and trust by ensuring alignment between stated privacy practices and actual implementation. By correlating the results, Appicaptor users can identify and address any discrepancies between the documentation and implementation of privacy-related data usage.
Uncorrelated iOS Privacy Manifest information prestenation in Appicaptor

Conclusion

In an era where trust between users and tech companies is important, transparency regarding data collection practices is non-negotiable. Using the iOS Privacy Manifest as an additional source of evaluation, Appicaptor enhances its app evaluation capabilities and gives users a more thorough understanding of how their data is handled by various apps. This integration enforces Appicaptor’s commitment empowering users with transparent and informed decisions regarding app security.

Appicaptor’s solution contributes to the overall integrity of the digital ecosystem by promoting transparency, accountability, and responsible data usage. By empowering users with comprehensive privacy insights and encouraging developers to uphold best practices and that the implementation is inline with documentation, Appicaptor’s approach supports a culture of trust and integrity that benefits everyone involved.

Visit us on it-sa 2022

What data is transferred by business apps and how secure is their processing? Our research shows: If your employees use apps arbitrarily, you put your company’s security at risk.

At it-sa 2022, we present our app analysis framework Appicaptor, which you can use to automatically check whether apps are compliant with your company’s IT security demands. New, within the BMBF funded research project PANDERAM developed methods will complement Appicaptor. Among other things, the goal is to identify, evaluate and visualize complex data flows from automated dynamic analyses.

Excerpt dynamic data flow analysis created in BMBF project PANDERAM: Location and advertisementID information flow to third party providers using granted permissions for a weather app

One focus of the ongoing PANDERAM project is to develop an analysis platform using a lightweight approach for automatic data collection from large app sets in order to provide users with information about the IT security quality and privacy of their apps. The technical basis is built upon dynamic analysis of app security properties by applying hooking techniques within a custom-built runtime environment.

Using this approach, the IT security quality of apps is automatically evaluated, including issues that go beyond the aspects observable at communication level such as lack of encryption in local data storage or usage of weak cryptography. By hooking system functions, the evaluation environment also detects access to system resources such as memory card, calendar, contacts, etc. The dynamic approach allows TLS pinning to be switched off, so that transmitted data can be read and evaluated depending on their triggering factors. Furthermore, the analysis platform includes unsupervised operation and usage of apps, which autonomously recognizes specific app operation concepts for the analysis of a large functional scope of apps. Particularly important here are approaches for dealing with login fields, recognition of navigation elements and other interactive elements that must be correctly recognized and operated at app startup in order to enable app functionality.

The example of an Android weather app above shows a first visualization of the analyzed data flows. Highlighted are the location and advertisementID information that are transmitted to third parties when the app is granted the required permissions. For weather apps the example demonstrates the problem, that the user wants to share the location to retrieve the local weather. However, all included third-party libraries get the permission to access and transmit the location information for their purposes as well. Which might not be in the interest of the information owner. Fraunhofer SIT’s Appicaptor specific data flow analysis methods will evaluate the transition of corporate or business data to external parties on that concept.

You’ll find us in hall 6, booth number 6-210 for a demonstration.

Concerns about Apache Log4j in Android Apps

The recently published CVEs for the Apache Log4j Java logging library raise the question if also Android apps suffer from the same fatal exploitability, like the huge number of server and desktop applications.

In a first response, we checked the presence of Apache Log4j in the Appicaptor monitored 2,000 most popular Android apps and in the set of apps scanned by our Appicaptor customers to detect which Log4j versions are contained. Our analysis shows that currently less than 1% of the apps contained Log4j 1.x and none of them contained Log4j 2.x.

Regarding the current JNDI CVE-2021-4104, CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832 a further positive news is: Our manual tests proved that the required classes for a JNDI lookup are not available in Android. So, even if an app contains a Log4j version that is vulnerable to JNDI lookups and an attacker manages to trigger a malicious JNDI lookup, the app would not be able to perform the JNDI lookup and -at most- could only crash with a ClassNotFoundException. Therefore, no remote code execution in possible in this case.

An older vulnerability, tracked by CVE-2019-17571, is related to a server socket for receiving log messages. The SocketServer class in Log4j 1.x is vulnerable to deserialization of untrusted data, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget while listening to untrusted network traffic for log data. The additionally tracked CVE-2020-9488 for Log4j 1.x describes an improper validation of certificates with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. However, usage of both aforementioned functionality is uncommon in released mobile apps so that the overall risk of an exploitation is considered low.

Nevertheless, as Log4j 1.x is not maintained anymore, it should be replaced with an alternative and actively maintained logging library that does not contain known vulnerabilities.

New Feature: Dynamic App Analysis

We have added a new app analysis method to our Appicaptor infrastructure. From now on all iOS app analysis orders within Appiaptor SmartWeb or Corporate subscriptions are also processed using dynamic analysis. Besides the already existing static code analysis, the apps are automatically invoked in an analysis environment. This way, processing and communication of user data is additionally monitored and analyzed during runtime of the app. To create reproducible results and code coverage, user interactions are simulated with a deterministic interaction model.

The results of the dynamic analysis are correlated with the static code analysis to increase the depth of the Appicaptor app rating regarding security and privacy risks.  For example user related data (address book entries, passwords, GPS positions, etc.) transmitted unprotected, transmitted to untrusted 3rd parties as well as abused by 3rd party libraries exploiting access permissions can be identified.

Budget Option: Appicaptor Top 2000 Free (Select)

Besides the targeted and specific weekly app tests with individual security policies of our customers, Appicaptor analyses the top 2,000 iOS and Android Android apps each month. The top 2,000 app test results can be indicatory for app security quality and risk assessment in your mobile device administration. As Appicaptor utilizes a standard policy for medium security requirements for the top 2,000 apps assessment, the results could be directly applied for your app blacklisting.

The Appicaptor backend uses data sources to determine app popularity and usage. This allows Appicaptor to designate the 2,000 most relevant, free apps within the entire iOS and Android app stores. Therefore, the Appicaptor Top 2000 Free test catalog offers a broad coverage of the apps that are relevant for administration practice (all apps of the app stores with the exception of games and sticker apps).

There are two Appicaptor options that provide an app risk assessment for a budget price point:

  • Top 2000 Free evaluates the top 2,000 apps of the iOS or Android app store.
  • Top 2000 Free Select expands the tested apps by 20 self-defined, free apps from the app stores.

Both options cost less than 10 Euro per day for your entire mobile environment. You receive web statistics (including blacklist rating according to the standard Appicaptor policy) and an Excel report of the findings every month.

If you need a specific offer or advice please contact us on appicaptor@sit.fraunhofer.de

Unwanted Functionality Apps in Google Play Store

Once again, a list of apps in Google Play Store with unwanted functionality was published. This list holds apps forcibly displaying ads on the user’s lock screen, triggering video and audio advertisements even while the phone was asleep, and displaying out-of-app ads that interfere with a user’s interaction with other applications on their device. This unwanted functionality did not immediately appear after app installation, but became visible at least 24 hours after the application was launched. Some apps wait patiently 2 weeks after installation to impede the occurring disturbances to be brought into connection with the liable app.

We have checked the published list and found 7 unique apps on it that have been analyzed in the last months by Appicaptor. All of them were blacklisted by Appicaptor’s standard policy intended for medium security requirements. The rating is based on generic rules regarding a correlation between the app model, extracted by machine learning from the app’s description text, and static analyzed properties of app content.

Although the unwanted functionality has not being directly identified by Appicaptor, we are pleased to see that Appicaptor’s standard policy had identified these apps as not compliant with business requirements. This shows the informative value of the standard Appicaptor policy set that is continuously revised and updated over the last years.