Evaluation of Cryptography Usage in Android Applications

Chatzikonstantinou, Alexia; Ntantogian, Christoforos; Καρόπουλος, Γεώργιος; Xenakis, Christos

doi:10.4108/eai.3-12-2015.2262471

Cited by 34 publications

(24 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our manual analysis confirms that all misuses of the Cipher class are due to using the insecure algorithm DES or mode of operation ECB. is result is in line with the findings of prior studies [11,12,27].…”

Section: Types Of Misuses (Rq2)supporting

confidence: 93%

See 1 more Smart Citation

CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs

Krüger

Späth

Ali

et al. 2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Various studies have empirically shown that the majority of Java and Android apps misuse cryptographic libraries, causing devastating breaches of data security. erefore, it is crucial to detect such misuses early in the development process. e fact that insecure usages are not the exception but the norm precludes approaches based on property inference and anomaly detection.In this paper, we present C SL, a definition language that enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide. C SL combines the generic concepts of method-call sequences and data-flow constraints with domain-specific constraints related to cryptographic algorithms and their parameters. We have implemented a compiler that translates a C SL ruleset into a context-and flow-sensitive demanddriven static analysis. e analysis automatically checks a given Java or Android app for violations of the C SL-encoded rules.We empirically evaluated our ruleset through analyzing 10,001 Android apps. Our results show that misuse of cryptographic APIs is still widespread, with 96% of apps containing at least one misuse. However, we observed fewer of the misuses that were reported in previous work.

show abstract

Section: Types Of Misuses (Rq2)supporting

confidence: 93%

“…Unlike C C , CMA has been evaluated on a small dataset of only 45 apps. Chatzikonstantinou et al [11] ran a dynamic checker for a number of misuses and manually verified their findings on 49 apps. All three studies concluded that at least 88% of the studied apps misuse at least one Crypto API.…”

Section: Related Workmentioning

confidence: 99%

CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs

Krüger

Späth

Ali

et al. 2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…Even experienced programmers are likely to make mistakes. Such mistakes will compromise the security objective the programmer tries to achieve by using the cryptographic primitives, as studied in the cryptographic misuse literature, e.g., [EBFK13, SGT + 14, CNKX16,MLLD16]. Proper use of low-level cryptographic APIs requires considerable security expertise.…”

Section: Difficult-to-use Low-level Cryptographic Librariesmentioning

confidence: 99%

“…73]. A string of papers, beginning in 2012, have documented widespread cryptographic misuse in mobile applications [FHM + 12, EBFK13, BML + 14, LZLG14, LCWZ14, SGT + 14, CNKX16,MLLD16]. These works define specific types of cryptographic misuse and build tools to detect them.…”

Section: Introductionmentioning

confidence: 99%

“…Misuse type and number of apps containing that type, plus total number of apps studied, using the misuse analysis systems CryptoLint[EBFK13], CMA [SGT + 14], CNKX[CNKX16], and CDRep[MLLD16]. Misuse types prevented by SecAlgo are listed; three other types studied [EBFK13, CNKX16, MLLD16] (a constant salt for password-based encryption (PBE), < 1000 iterations for PBE, and improper seeding for Java SecureRandom objects), not prevented by Sec-Algo, are not listed.…”

mentioning

confidence: 99%

See 1 more Smart Citation

High-Level Cryptographic Abstractions

Kane

Lin

Chand

et al. 2019

Proceedings of the 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security

View full text Add to dashboard Cite

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed.This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS.We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature.

show abstract