PSiOS, short for privacy and security for iOS devices, is a “novel policy enforcement framework for iOS” that is timely and resonates with my concerns about the security of iOS devices such as the iPhone and iPad. Sophos (http://sophos.com) provides a free Android security app for a single device that analyzes and manages vulnerabilities. However, the proprietary closed-source iOS system does not support this type of access, even to improve security.

PSiOS is controlled by the user and is effective even without access to iOS or the Objective-C source code. This is a crucial development because many apps are able to use the device camera and video without user knowledge and have read/write access to files, accounts, and contacts. iOS assigns a “generic sandbox to all third-party apps,” and this is known to be a vulnerability readily exploited by genuinely malicious apps.

The framework developed by the authors involves reverse engineering and rewriting the application binary. Checkpoints are inserted into the application and are invoked each time an Objective-C call is made. From this, a validation request is triggered. The PSiOS framework is successfully demonstrated and evaluated using SpyPhone, an app created to steal user data from an iOS device. The testbed deployed by the authors uses several apps, including Facebook.

If you are interested in the differences between Android and iOS security or the complexity of securing vulnerabilities in proprietary closed-source apps and devices, you will find this novel approach very relevant.