Negative Results on Mining Crypto-API Usage Rules in Android Apps

Gao, Jun; Kong, Pingfan; Li, Li; Bissyandé, Tegawendé F.; Klein, Jacques

doi:10.1109/msr.2019.00065

Cited by 30 publications

(18 citation statements)

References 27 publications

(26 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Shuai, Guowei, Tao, Tianchang and Chenjie [9] introduced Cryptography Misuse Analyzer (CMA). Gao, Kong, Li, Bissyandé, and Klein [10] introduced CogniCryptSAST. Singleton, R. Zhao, M. Song and H. Siy, [11] introduced FIREBugs.…”

Section: Mobile Application Cryptography Studiesmentioning

confidence: 99%

A Case Study of Mobile Health Applications: The OWASP Risk of Insufficient Cryptography

Schmeelk

Tao

2022

j. of Comput. sci. res.

View full text Add to dashboard Cite

Mobile devices are being deployed rapidly for both private and professional reasons. One area of that has been growing is in releasing healthcare applications into the mobile marketplaces for health management. These applications help individuals track their own biorhythms and contain sensitive information. This case study examines the source code of mobile applications released to GitHub for the Risk of Insufficient Cryptography in the Top Ten Mobile Open Web Application Security Project risks. We first develop and justify a mobile OWASP Cryptographic knowledgegraph for detecting security weaknesses specific to mobile applications which can be extended to other domains involving cryptography. We then analyze the source code of 203 open source healthcare mobile applications and report on their usage of cryptography in the applications. Our findings show that none of the open source healthcare applications correctly applied cryptography in all elements of their applications. As humans adopt healthcare applications for managing their health routines, it is essential that they consider the privacy and security risks they are accepting when sharing their data. Furthermore, many open source applications and developers have certain environmental parameters which do not mandate adherence to regulations. In addition to creating new free tools for security risk identifications during software development such as standalone or compiler-embedded, the article suggests awareness and training modules for developers prior to marketplace software release.

show abstract

Section: Mobile Application Cryptography Studiesmentioning

confidence: 99%

A Case Study of Mobile Health Applications: The OWASP Risk of Insufficient Cryptography

Schmeelk

Tao

2022

j. of Comput. sci. res.

View full text Add to dashboard Cite

show abstract

“…In an MSR paper [11], we presented our attempt to learn crypto-APIs usage from the crowd, i.e., by mining crypto-APIs usage rules from app lineages. Android app developers recurrently use crypto-APIs to provide data security to app users.…”

Section: App Lineages To Perform Evolutionary Studiesmentioning

confidence: 99%

“…On the other hand, a classical mining approach based on typical usage patterns is not relevant in Android, given that a large share of usages include mistakes. In [11], building on the assumption that "developers update API usage instances to fix misuses", we proposed to mine the app lineages dataset to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses.…”

Section: App Lineages To Perform Evolutionary Studiesmentioning

confidence: 99%

A Journey Through Android App Analysis: Solutions and Open Challenges

Klein¹

2021

Proceedings of the 2021 International Symposium on Advanced Security on Software and Systems

Self Cite

View full text Add to dashboard Cite

Users can today download a wide variety of apps ranging from simple toy games to sophisticated business-critical apps. They rely on these apps daily to perform diverse tasks, some of them related to sensitive information such as their finance or health. Ensuring high-quality, reliable, and secure apps is thus key. In the TruX research group of the interdisciplinary center for Security, Reliability, and Trust (SnT) of the University of Luxembourg, we are working for about 10 years to deliver practical techniques, tools, and other artifacts (such as repositories) making the analysis of Android apps possible. In this paper, we will briefly introduce our key contributions in both (1) Android app static analysis to detect security issues, and (2) Android Malware Detection with machine learning. We will conclude by listing several open challenges that we are currently facing towards improving the analysis and security of Android apps. CCS CONCEPTS• Security and privacy → Software security engineering; • Software and its engineering → Software verification and validation.

show abstract

“…We speculate that this might be correlated to the quality of app lineages. Indeed, as argued by Gao et al (2019), some app developers tend to write poor quality apps. Even with critical features such as crypto-API usages, developers are frequently making mistakes.…”

Section: Evolution Of the Usage Of Deprecated Apismentioning

confidence: 99%

“…AndroZoo) in our community. It is worth to mention that even with reputed apps, as disclosed by Gao et al (2019), their lineages may not be always good for supporting evolutionary studies such as mining usage patterns of cryptographic APIs. We hence encourage our fellow researchers in the community to working on this problem and inventing reliable means for supporting representative evolutionary studies in Android.…”

Section: Threats To Validitymentioning

confidence: 99%

CDA: Characterising Deprecated Android APIs

Gao

Bissyandé

et al. 2020

Empir Software Eng

Self Cite

View full text Add to dashboard Cite

Because of functionality evolution, or security and performance-related changes, some APIs eventually become unnecessary in a software system and thus need to be cleaned to ensure proper maintainability. Those APIs are typically marked first as deprecated APIs and, as recommended, follow through a deprecated-replace-remove cycle, giving an opportunity to client application developers to smoothly adapt their code in next updates. Such a mechanism is adopted in the Android framework development where thousands of reusable APIs are made available to Android app developers. In this work, we present a research-based prototype tool called CDA and apply it to different revisions (i.e., releases or tags) of the Android framework code for characterising deprecated APIs. Based on the data mined by CDA, we then perform an empirical study on API deprecation in the Android ecosystem and the associated challenges for maintaining quality apps. In particular, we investigate the prevalence of deprecated APIs, their annotations and documentation, their removal and

show abstract

Negative Results on Mining Crypto-API Usage Rules in Android Apps

Cited by 30 publications

References 27 publications

A Case Study of Mobile Health Applications: The OWASP Risk of Insufficient Cryptography

A Case Study of Mobile Health Applications: The OWASP Risk of Insufficient Cryptography

A Journey Through Android App Analysis: Solutions and Open Challenges

CDA: Characterising Deprecated Android APIs

Contact Info

Product

Resources

About