The most dangerous code in the world

Georgiev, Martin; Iyengar, Subodh; Jana, Suman; Anubhai, Rishita; Boneh, Dan; Shmatikov, Vitaly

doi:10.1145/2382196.2382204

Cited by 320 publications

(36 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…By being able to repeat a test automatically, it was possible to issue different secure sockets layer (SSL) certificates to find out whether the client validated them correctly. These or similar test scenarios are also found in other relevant research [22,31]. This led to the incorporation of similar tests into the research presented in this paper.…”

Section: Introductionsupporting

confidence: 74%

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Müthing¹,

Jäschke²,

Friedrich³

2017

JMIR Mhealth Uhealth

View full text Add to dashboard Cite

BackgroundMobile health (mHealth) apps show a growing importance for patients and health care professionals. Apps in this category are diverse. Some display important information (ie, drug interactions), whereas others help patients to keep track of their health. However, insufficient transport security can lead to confidentiality issues for patients and medical professionals, as well as safety issues regarding data integrity. mHealth apps should therefore deploy intensified vigilance to protect their data and integrity. This paper analyzes the state of security in mHealth apps.ObjectiveThe objectives of this study were as follows: (1) identification of relevant transport issues in mHealth apps, (2) development of a platform for test purposes, and (3) recommendation of practices to mitigate them.MethodsSecurity characteristics relevant to the transport security of mHealth apps were assessed, presented, and discussed. These characteristics were used in the development of a prototypical platform facilitating streamlined tests of apps. For the tests, six lists of the 10 most downloaded free apps from three countries and two stores were selected. As some apps were part of these top 10 lists in more than one country, 53 unique apps were tested.ResultsOut of the 53 apps tested from three European App Stores for Android and iOS, 21/53 (40%) showed critical results. All 21 apps failed to guarantee the integrity of data displayed. A total of 18 apps leaked private data or were observable in a way that compromised confidentiality between apps and their servers; 17 apps used unprotected connections; and two apps failed to validate certificates correctly. None of the apps tested utilized certificate pinning. Many apps employed analytics or ad providers, undermining user privacy.ConclusionsThe tests show that many mHealth apps do not apply sufficient transport security measures. The most common security issue was the use of any kind of unprotected connection. Some apps used secure connections only for selected tasks, leaving all other traffic vulnerable.

show abstract

Section: Introductionsupporting

confidence: 74%

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Müthing¹,

Jäschke²,

Friedrich³

2017

JMIR Mhealth Uhealth

View full text Add to dashboard Cite

show abstract

“…One core problem is that revocation checks in browsers are not comprehensive: Chrome generally does not verify revocations, its CRLSet is limited to emergency revocations by design [48], and Mozilla's Firefox similarly limits revocation checks through OneCRL to CA intermediate certificates [49]. Certificate revocations in other software and libraries, which rely on the same certificate issuance processes and would also be required to adopt the new revocation checks, are rarely checked in practice [50]. Furthermore, revocations are reactive by nature and they provide a window of opportunity to an attacker by design: the time until the revocation has propagated plus the time until the attacker's certificate has been revoked by the issuing CA on request of the legitimate party, the latter of which is generally a manual process as additional verification is required.…”

Section: Mitigationmentioning

confidence: 99%

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier

Hong

Bae

Kim

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…Many applications that use encryption or other cryptographic services end up being vulnerable because their developers knowingly or unknowingly misuse cryptographic libraries [3,4,5,6]. While the cryptographic algorithms themselves may not contain severe bugs, their application programming interfaces (APIs) are not resistant to misuse and in some cases they are very difficult to use at all without detailed cryptographic knowledge.…”

Section: Introductionmentioning

confidence: 99%

How Usable Are Rust Cryptography APIs?

Kai

Keck

Wagner

2018

2018 IEEE International Conference on Software Quality, Reliability and Security (QRS)

View full text Add to dashboard Cite

Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rustcrypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.

show abstract

The most dangerous code in the world

Cited by 320 publications

References 7 publications

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier

How Usable Are Rust Cryptography APIs?

Contact Info

Product

Resources

About