1 Introduction

Apple's iOS (iPhone Operating System) is one of the most widely used mobile operating systems after its counterfeit Android. Apple manufactures and distributes different types of iOS devices such as iPad, iPod touch, iPhone, Apple Watch, Apple TV, etc. Apple has a huge customer base because it provides a lot of unique features such as multitasking, multi-touch gestures, internal accelerometers, voice assistant Siri, etc.(Wikipedia). Apple also offers a platform for its developers to publish and distribute their applications also called apps through its online store 'App Store'. This online store is also a repository of billions of apps from which iOS users can download apps from different categories (Apple Inc.). With the presence of 1.96 million apps, the App Store is the world's second-largest online store than its counterpart Android which has 2.87 million apps on its official store Play Store. Such a fast-growing platform motivates developers, IT industries, marketing firms, and organizations to develop feature-rich apps. It also allures the customers or users to download these apps. With the upsurge of smart devices, the number of apps, and the number of smartphone users, smartphones and smart devices have also become a device for storing a large amount of user's personal data (Erickson et al.). This includes personal information such as address book, photo gallery, email IDs, passwords, calendar events, etc. Additionally, a smartphone always generates contextual data via its sensors. Such crucial information of users is undoubtedly more personal when compared with the data, which is stored on personal computers because smartphones stay with individuals throughout the day and generate a lot of contextual data by sensors. These sensors are not present on personal computers; therefore, it can be inferred that smartphones contain a lot of user's personal data which makes them a valuable resource for the developers of malicious apps who might intend to develop privacy-infringing apps and access user's data.

To preserve the privacy of its users both Apple and Android follow a permission-based access control policy (Krupp). The policy ensures that the app will notify its users about all the permissions and resources the app will use during its run-time. Android follows an install-time and run-time permission policy in which the users are aware of the permissions the app will acquire during its usage during app installation. Whereas, Apple follows a run-time permission policy in which the users are informed about app permissions during app usage (Khan et al.). Additionally, Apple provides privacy controls through its inbuilt 'setting app', through which they can explicitly define the permission for every app which has been installed (Krupp). Additionally, Apple follows a strict code signing process in which the apps that have been submitted by the developers on the App Store are critically examined before they are published. However, past attacks on iOS devices via privacy-infringing apps have demonstrated these methods adopted by Apple are inadequate to preserve the privacy of the users.

A lot of research work has been conducted to highlight the privacy breach by apps. Research conducted by Wired has identified that thousands of iOS and Android apps leak data from the cloud. The apps leaked lots of user's personal data such as medical information, phone number, device identifiers, passwords, etc.(WIRED). A similar kind of research conducted by Oxford researchers identified that a lot of third-party apps are sharing data with Facebook and Google. A total of 959,000 apps were analyzed. The study identified that 88% of these apps were transferring data to Alphabet which is Google's parent company, while Twitter, Facebook, Microsoft, and Amazon received 34%, 43%, and 18% of user's data respectively (Millman). To name a few the data collected by these companies included age, location, gender, etc. A report by Pt security highlighted the threats by the third-party mobile apps which included insecure data storage by apps, Escalated privileges taken by the app, side-loaded software, client-side vulnerabilities, etc.(Ptsecurity.com).

The issue of privacy leaks by apps also increases because of the issues in the current permission model adopted by Apple. The users do not have fine-grained access control over the data which is shared by the app in use. Smartphones do offer coarse-grained privacy as well as security controls where the users can either deny or allow permission for an explicit resource by an app. However, the problem with this approach is that once a user grants permission to the app he/she does not have any control over restricting the app from sharing the data. For example, once a user grants location permission to an app, the user cannot restrict the app from accessing a particular location. Likewise, once a user grants permission to access the address book, the user cannot restrict the app from accessing a specific contact. Since the users do not have the option to specify the accuracy of the sensors while accessing location, device accelerometer, and locally shared data, thus the apps must restrict their access. However, developers of malicious apps intentionally create over-privileged apps. Users are allured by the features of apps and thus grant permissions to the friendly-looking apps. However, the users never know if the app is using their data locally or sharing it with third-party domains without their consent. To eradicate this, problem we present a privacy detection model that uses app permissions during static analysis. The model first extracts user permission using the concept of reverse engineering and constructs a Boolean value permission matrix P_mxn where m represents the number of apps under analysis and n represents no. of permissions. Here a total of 1150 iOS apps from 12 app categories are tested for 10 different user permissions. Machine learning and ensemble-based techniques are employed to train the classifiers and determine malicious iOS apps. Apps are reverse-engineered from 12 different categories. In order to improve the precision of classifiers, the correlation of permissions for each category has been computed using Analytic Hierarchy Process (AHP). Later, the weighing factors obtained from AHP for each permission category-wise have been used to construct a weighted permission matrix P[mxn] to train the classifiers. The motivation for using a weighted permission matrix is that every permission has a different weight for a category. Apple provides a set of predefined app categories on the App Store which helps the developer to choose the best category before uploading the app. The category also defines the necessary features that the app provides the users during its usage. For example, the category navigation specifies that the apps belonging to the navigation category will fetch the user's location to guide them and navigate them. Likewise, an app belonging to the photo and video category will require access to the user's photo gallery and camera to serve its intended purpose. Apple provides a limited set of permissions, which require explicit approval during app usage. The problem of privacy leaks exists because it is very difficult to determine a benign app, an over-privileged app, or a malicious app with this limited permission set. Even the operating system cannot determine the intention of an app during its run-time. In other words, it is very difficult to identify malicious iOS apps as there exists a thin boundary line to identify how well a permission is correlated to a category. Using our approach, we identify the most significant permissions within a category using AHP approach that helps in identifying the malicious iOS apps. To address the challenges in the existing model for handling privacy breaches, we use the AHP technique to find the correlation of permission for a category to detect privacy violations by apps. For example, the permission of a user's location is an essential feature for an app belonging to the 'navigation' category because it functions after it receives the user's approval to access the GPS location. The same permission might have a different weight for the 'books' category as the prime purpose of this category is to provide stories, comics, graphic novels, and interactive content for which location permission may not be mandatory permission. Based on the aforementioned facts and guidelines provided by Apple we propose a heuristic approach to determine privacy leaks by iOS apps.

The foremost contributions of the paper have been listed below.

o A novel hybrid approach that integrates MCDM approach, AHP with Machine learning & ensemble learning techniques has been proposed to detect malicious iOS apps.

o The proposed approach has been evaluated on 1150 apps belonging to twelve category iOS apps. Each app possesses ten permissions.

o The proposed approach improves the malware detection accuracy best case value of 14%.

The rest of the paper is organized as follows. Section 2 describes the related work on machine learning and ensemble techniques used to detect malicious apps. The section also describes the techniques that have been used in this paper. Section 3 describes our proposed heuristic approach of multicriteria decision-making approach using AHP. Section 4 describes the experimental results and analysis. The paper is concluded in Section 5.

2 Machine learning, ensembling techniques to detect privacy leaks based on app permissions

Machine learning and ensembling learning techniques have been employed by many researchers to detect privacy violations by apps. Ping et al. have developed an ensemble classifier 'Enclamald' to identify the contrasting permission patterns to illustrate the important difference between malicious apps the benign ones based on permission usage(Xiong et al.). Liu et al. have proposed a two-layered permission-based detection model for Android apps. In their work, they considered both requested permission and used permission by apps to detect malicious apps using machine learning techniques (Liu and Liu). Congyi et al. used an implementation of ensemble learning- XGBoost method to detect malicious Android apps based on permission usage(Congyi and Guangshun). Alba et al. used feature selection and ensembling techniques to classify

Android malware(Coronado-De-Alba et al.). Idrees et al. proposed a model PIndoid, permissions, and intent-based framework, to detect malicious Android apps. It uses a combination of permissions and intents integrated with the ensemble method to improve the malware detection accuracy(Idrees et al.). Abdirashid et al. proposed a model to detect unknown malware by using a permission-based approach to enhance the accuracy as well as efficacy(Sahal et al.). The authors have improved the feature selection technique by incorporating weighing method TF-IDFCF, based on the class frequency of the app features. Jin et al. developed a malware detection system SigPID capable of coping with malware and its variants(Sun et al.). The authors have used three levels of pruning to mine app permission and identify the most significant permission capable of distinguishing malware apps from benign ones. Wang et al. have applied different ranking algorithms to classify malicious Android apps based on different ranking techniques namely principal component analysis(PCA) and sequential forward selection (SFS) to detect risky app permissions along with their subsets(Wang et al.). The authors have used a data set of 310926 benign and 4868 malicious apps and employed several machine learning classifiers. Jing Y et al. developed an automated risk assessment framework RiskMon which utilizes machine learning models to rank and assess the risks by Android apps(Jing et al.). The highlight of the tool was that it continuously monitors the behaviour of Android apps by combining the expectations of app users with their run-time behaviour. Run time behaviour of 20 iOS mobile health care iOS apps was analyzed by Adhikari R et al.to determine their strengths and weaknesses by assigning a safe score and risk score to them based on their run time analysis(Adhikari et al.).

Table 1 details the summary of research works on detecting privacy breaches.

However, the limitation of the above approaches is the differentiation of benign apps from malicious apps if they all request a similar set of app permissions. Since in Android, a large set of app permissions (approximately 320+) is already available, hence application of feature selection techniques, machine learning techniques, and reverse engineering is easy. However, in the case of the iOS platform a limited set of 10-13 permissions is available which varies with the iOS version. Hence, distinguishing a benign app from a malicious app is very difficult because there exists a thin boundary between a malicious and a benign app.

As most of the work has been done for the Android platform, in this paper we propose the detection of malicious apps for the iOS platform using AHP and MCDM approach to detect malicious iOS with a minimal permission set. We have also employed several ensembling techniques. The machine learning classifiers that were used for evaluating the proposed method are listed below(Mesevage), (Abaker and Saeed; Chehal et al.), (Harahsheh and Chen).

(i) Naive Bayes (NB): It is a Bayesian classification method and is based on Bayes' Theorem. The Bayesian classification method builds a probabilistic classifier that is based on modelling the underlying features for different classes. The classification technique predicts class member probability that a given sample/tuple belongs to a particular class. The advantages of using this technique are that it needs less training data, is highly scalable, and can be used for both multi-class as well as binary classification problems(Mesevage). (ii) Decision Tree (DT): It constructs a tree structure in a top-down recursive manner based on the divide and conquer manner. The decision tree is a tree structure where the internal node represents a test on an attribute every branch represents the output of the test and the leaf nodes depict the class distribution and are easy to interpret(Chehal et al.). (iii) Random Forest (RF): Random Forest generates many classification trees. Every tree gives a classification and the forest selects the classification that has the most votes [15]. (iv) Neural Network (NN): The basic unit of a neural network is neurons, which take inputs, perform mathematical computations with them, and generate output. Every input is multiplied by a weight, and then all weighted inputs are added together with a bias function, and then the sum is passed through an activation function(Zhou). (v) Support Vector Machine (SVM): It is a fast machine learning algorithm used for solving multiclass classification problems for larger data sets. It can work with high-dimensional data comprising thousands of features and attributes. The algorithm can be used in text classification problems with high-dimensional spaces [15].

The ensembling approaches that have been employed are bagging using J48 (decision tree) and boosting.

(vi) Bagging (Bg): The technique is based on creating multiple subsets from the original dataset. The instances from the dataset are selected with replacements. Then a base model also called a weak model is created for each of the subsets. The models are run in parallel and they work independently of each other. The final predictions are computed by combining the predictions from all models(Idrees et al.).

(vii)Boosting (Bo): In boosting a subset is created from the original dataset and instances are given equal weights initially. The base model is constructed on the previously created subset and is utilized to make predictions for the complete dataset. Errors are determined to employ real and anticipated values. Higher weights are allocated for the perceptions that are incorrectly anticipated. A strong learner is defined using the weighted mean of weak learners(Idrees et al.).

The following section describes the proposed approach to determine malicious iOS apps using a multi-criteria decision-making approach.

3 Classifying iOS Apps using proposed hybrid approach

Figure 1 shows the proposed framework to classify iOS apps using machine learning and ensemble techniques based on ranked permissions. Permissions are ranked using AHP. In the proposed method, the apps are installed from the AppStore, and their features are fetched (here features refer to the app permissions such as location, camera, photo gallery, etc.). We have considered ten features for twelve categories of iOS apps. Each app has a set of features in the form of a permission vector. Generally, permission for each feature is either present or absent corresponding to an app, and the features if present are considered to be equally important. In reality, the features of each category app have different weights. Based on this belief, we have ranked the permission set of each category of apps. On the basis of permission usage across the category, we have applied correlation coefficient and ranked permissions across the category. For example, an app belonging to the Social Networking category can have app permissions like photo, camera, location, internet, etc. whereas a simple flashlight app from the utilities category may require only camera permission. Thus, the ranking of permission for camera would be entirely different in social networking and utility category.

The proposed method has two phases. In the first phase, the app features are assigned weights based on the app category. In the second phase, the classification algorithms are applied for the identification of malicious iOS apps.

Assigning weights to app permissions

To rank the permissions of an app we are using the AHP, a MCDM approach. Step 1 is to identify the AHP Hierarchy. In this step, first, the goal is defined. In this

Twelve mobile app categories have been considered. The categories are Books, Navigation, Games, Education, Health & Fitness, Lifestyle, Music, Utilities, Photo & Video, Sports, Social Networking, and Finance(Bhatt et al.). Third, the sub-criterion is defined if present. Here, the sub-criterion is the feature set of each category app for which permissions are present.AHP has been used to identify important features of each category app. The bottom level consists of the various alternatives. In our problem, 1150 apps belonging to twelve categories are the varied alternatives. The AHP hierarchy for ranking permissions of each category app is shown in Figure 1.

In step 2, pair-wise comparisons among features are performed to create a judgement matrix. We consider the ten feature sets of all apps belonging to each category. The features set consists of photos, internet, notification, map, location, contacts, calendar, cellular data, iAd, and camera. The Pearson correlation coefficient is utilized to find the feature importance for a particular category app. Then we used the Pearson correlation coefficient to work, the goal is to classify an iOS app as Malign or benign. Second, the criteria are identified. Here, the criterion is the apps category. perform a pair-wise comparison among features to find the relative importance of each pair and are given values in the range of 1 to 9. Table 2 has been used for the creation of a judgement matrix that provides the relative ranking that signifies the intensity of importance among the considered feature pair. The order of the judgement matrix depends upon the number of elements that the level of comparison. Since we are comparing the 10 feature pairs so for each category, the matrix of dimension 10*10 is formed. As the judgement matrices are formed, the eigenvectors and maximum eigenvalue (Xmax) for each matrix are computed. Later consistency index (CI) and consistency ratio (CR) are calculated as shown in Algorithm 1. RI is a random consistency index given by Saaty for n varying from 1 to 10 (Refer Table 3). The acceptable value of CR is less than 0.1. If the CR value exceeds 0.1, it represents inconsistencies and the result is meaningless. Thus, the entire process requires re-evaluations(Saaty).

The judgement matrix is found to be consistent if the value of CR is less than 0.1. The weights of features are fetched.

Apply classification algorithms to identify the benign and malign iOS apps

The feature weights computed by applying AHP are used for each category of apps and are used to train the classifiers. Five machine learning and two ensemble learning techniques are applied for the identification of malign and benign apps. The machine learning techniques that are considered are Naive Bayes, Neural Network, Random Forest, Decision Tree, and SVM.

The ensemble learning techniques are applied as the feature set in some of the categories is found to be skewed. The techniques used are bagging and boosting where J48 is used as a baseline technique.

4 Experimental results and analysis

This section presents the experimental setup and results of the proposed model on 12 categories of iOS 1150 apps.

4.1 Experimental setup

The proposed permission weighting approach is evaluated on twelve categories of iOS apps. The categories are Books (Bks), Education (Edu), Finance (Fin), Games (Gam), Health & Fitness(H&F), Lifestyle (LS), Music (Mus), Navigation (Nav), Photo&Video(P&V), Social Networking (SN), Sports (Sp) and Utilities (Util). There are a total of 1150 iOS apps that have been considered. The apps are fetched from the App Store. Table 5 shows the distribution of apps in each category that has been considered.

Each category app defines the important features that it serves to the users. The features set consists of photos, internet, notification, map, location, contacts, calendar, cellular, iAd, and camera. The permission log of these features has been extracted. Each app has its own set of feature vectors, for example, Appl of the Books category has feature vector fv= (1,0,0,1,0,1,0,0,0,0) which depict that this app has three features: photos, map, and contacts. The different features of apps are generally given equal importance. Here photos, map, and contacts are given equal importance. It has been noticed that certain features of apps are more important than other features. Based on this belief, this paper prioritizes the features of an app using the AHP, MCDM technique to classify the app as malicious or benign.

The proposed method undergoes two phases to detect malicious iOS apps: In the first phase the features of each category of iOS apps are ranked using AHP and in the second phase machine learning as well as ensemble learning methods are applied to ranked features. Finally, the performance of both approaches is evaluated using precision defined by equation 1. Here, precision is a metric used to evaluate the model's positive classifications which are actually positive. It is defined as a ratio of true positive (TP) predictions and total number of predicted positives which includes both false positives (FP) as well as true positives. Precision improves when false positives decrease.

TP

Precision

4.2 Experimental results

This section presents the results obtained from our experimental study. During the first phase, the features of varied category apps were ranked using AHP. The feature's importance has been computed using the correlation coefficient. The results of which are given in Table 4 and have been taken from our previous work on the detection of malicious iOS apps using static and dynamic analysis approaches (Bhatt et al.). The work is an extension of previous work by including ensembling and multi-criteria decision-making approach. The correlation values are used for pair-wise feature comparison. The judgement matrix has been computed for each category app using pairwise feature comparison. Figures 3a-31 represent the Judgement Matrix corresponding to each category of apps.

The procedure given in Algorithm 1 has been followed and the final weights of the ten features for all the twelve category Apps are shown in Table 6. Table 7 shows the Consistency Index (CI) and inconsistency ratio (CR) values obtained for each iOS category app. A CR value below 0.1 suggests that the comparisons made are consistent and that the judgments used in the AHP process are reliable. In our analysis, it can be clearly observed from the tables 6 & 7 that the CR values obtained were consistently below this threshold for all category iOS apps, which means that the pairwise comparisons of the permissions were logical and coherent.

A detailed illustration of AHP steps has been omitted for the sake of the length of the paper. The results of this evaluation were analyzed to find whether the inclusion of AHP in prioritizing and determining the weights of features improves the accuracy of iOS app classification or not. We have used the cross-validation technique in the Weka toolkit to measure the efficiency of the models. Generally, whenever an inadequate amount of data instances is available, cross-validation method is preferred to accomplish an unbiased approximation of the model performance. In the k-fold cross-validation technique, the dataset is divided into k subsets, each of equal size. The model is constructed 'k' times, each time using (k-1) sets of data instances for training the classifier and leaving out one subset as a 'test set' for predictions. We considered five machine-learning techniques and two ensemble-based techniques for classification. The machine learning classifiers that are used for evaluating the proposed method are Decision Tree (DT), Random Forest (RF), Naive Bayes (NB), Neural Network (NN), and Support Vector Machine (SVM) and the considered ensemble approaches are bagging using J48(Bg) and Boosting (Bo). We compared the proposed AHP-based weighing approach with actual permission-based classification approaches.

The summary of the precision values for different classifiers has been depicted in Table 8 and Table 9. The tables also depict the comparison of precision values before/after applying the AHP technique for various classifiers. The results depicted in Table 8 and Table 9 demonstrate that the proposed AHP-based approach achieved an improved average accuracy in all the category apps. The improved average accuracy attained for classification algorithms Random Forest, Support Vector Machine, Naive Bayes, Neural Network, and Decision tree is 77.83%, 78.61%, 77.99%, 75.21%, and 78.21% respectively. It has been observed that Random Forest and SVM-based AHP classifier (SVMahp), performs better in 8 categories out of 12 categories apps, and Naive Bayes-based AHP (NBahp) and Neural Network-based AHP (NBahp) classifier performs better in 9 categories out of 12 categories apps. Integration of machine learning with AHP has shown the best performance for Health & fitness category apps as the improvement can be clearly observed in the case of three classifiers SVMahp, NBahp, and NNahp as 9.8%, 9.1%, and 8.3%. The proposed hybrid model has also shown good results for the apps belonging to the categories: Navigation and Photo & Video. The results reveal the improvement of 4.4%, 2.2%, and 2.9% in SVMahp, NBahp, and NNahp classifiers for the Navigation category and 1.9%, 3.3% and 4.9% in RFAHP, SVMahp and NBahp for Photo & Video category. The average accuracy attained in ensemble techniques, Boosting and Bagging using J48 is 80.01% and 77.22%. The ensemble learning technique, boosting integrated with AHP performed the best as it has shown better accuracy in all the 12 categories of apps. The highest improvement attained is 14% for Health and Fitness Apps. Figure 4 shows the improved precision scores for 12 iOS apps categories using the proposed hybrid approach.

Based on the above results from Table 8 and Table 9 it can be concluded that the proposed approach of using a multi-criteria decision-making approach using AHP improves the detection rate of malicious apps. Up to 9.8% in machine learning techniques and 14% in ensemble learning techniques.

5 Conclusion

The paper proposes an AHP-based weighting approach integrated with machine learning and ensemble learning techniques to detect iOS malicious apps. The proposed method initially extracts the app permissions using static analysis for 12 categories to compute a permission matrix comprising the number of apps and presence/absence of features. Then correlation of permissions for every category is computed using Pearson Correlation. Later, the AHP technique is applied to determine the weights of all permissions based on their correlation with respect to the category and in order to compute a weighted permission matrix. The proposed method has been compared with traditional permission-based classification methods. Empirical results depict that the proposed approach improves the detection rate for all 12 categories of iOS apps. In the future, we plan to conduct a sensitivity analysis to test the robustness of the AHP-derived weights. We will also explore different privacy settings for iOS apps namely track, link, and not-link, and investigate which privacy settings are better predictors for determining malicious or benign apps based on app permissions.