ABSTRACT
Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.
- Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic APIs. Proceedings of the 38th IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Benjamin Bichsel, Veselin Raychev, Petar Tsankov, and Martin Vechev. 2016. Statistical Deobfuscation of Android Applications. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 343--355. Google ScholarDigital Library
- David W Binkley and Keith Brian Gallagher. 1996. Program slicing. Advances in Computers Vol. 43 (1996), 1--50.Google ScholarCross Ref
- Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov. 2015. On the Impact of Touch ID on iPhone Passcodes. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS '15). 20.Google Scholar
- Ron Cytron, Jeanne Ferrante, Barry K Rosen, Mark N Wegman, and F Kenneth Zadeck. 1991. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 13, 4 (1991), 451--490. Google ScholarDigital Library
- Anthony Desnos and Geoffroy Gueguen. 2011. Android: From reversing to decompilation. Proceedings of Black Hat Abu Dhabi (2011), 77--101.Google Scholar
- Danny Dolev, Cynthia Dwork, and Moni Naor. 1998. Non-malleable cryptography. In SIAM Journal on Computing. Citeseer. Google ScholarDigital Library
- Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications Proceedings of the 2013 ACM SIGSAC conference on Computer &communications security. ACM, 73--84. Google ScholarDigital Library
- William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. 2011. A Study of Android Application Security.. In USENIX security symposium, Vol. Vol. 2. 2. Google ScholarDigital Library
- Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumg"artner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in) security Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 50--61. Google ScholarDigital Library
- Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the Key Scheduling Algorithm of RC4. Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography (SAC '01). Springer-Verlag, London, UK, UK, 1--24. http://dl.acm.org/citation.cfm?id=646557.694759 Google ScholarDigital Library
- B. Kaliski. 2000. PKCS #5: Password-Based Cryptography Specification Version 2.0. (2000).Google Scholar
- Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. 2011. The Soot framework for Java program analysis: a retrospective Cetus Users and Compiler Infastructure Workshop (CETUS 2011), Vol. Vol. 15. 35.Google Scholar
- David Lazar, Haogang Chen, Xi Wang, and Nickolai Zeldovich. 2014. Why Does Cryptographic Software Fail?: A Case Study and Open Problems Proceedings of 5th Asia-Pacific Workshop on Systems (APSys '14). ACM, New York, NY, USA, Article no7, pages7 pages. Google ScholarDigital Library
- Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. Libradar: Fast and accurate detection of third-party libraries in android apps Proceedings of the 38th International Conference on Software Engineering Companion. ACM, 653--656. Google ScholarDigital Library
- Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin Beznosov. 2013. Know your enemy: the risk of unauthorized access in smartphones by insiders Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services (MobileHCI '13). ACM, New York, NY, USA, 271--280. Google ScholarDigital Library
- A. Popov. 2015. RFC7465 - Prohibiting RC4 Cipher Suites. (Feb. 2015). https://tools.ietf.org/html/rfc7465Google Scholar
- Rahul Raguram, Andrew M. White, Dibyendusekhar Goswami, Fabian Monrose, and Jan-Michael Frahm. 2011. iSpy: automatic reconstruction of typed input from compromising reflections Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 527--536. Google ScholarDigital Library
- Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, and Shi Chenjie. 2014. Modelling analysis and auto-detection of cryptographic misuse in android applications Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on. IEEE, 75--80. Google ScholarDigital Library
Index Terms
- Source Attribution of Cryptographic API Misuse in Android Applications
Recommendations
An empirical study of cryptographic misuse in android applications
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityDevelopers use cryptographic APIs in Android with the intent of securing data such as passwords and personal information on mobile devices. In this paper, we ask whether developers use the cryptographic APIs in a fashion that provides typical ...
Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications
DASC '14: Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure ComputingCryptographic misuse affects a sizeable portion of Android applications. However, there is only an empirical study that has been made about this problem. In this paper, we perform a systematic analysis on the cryptographic misuse, build the ...
Self-sustaining, efficient and forward-secure cryptographic constructions for Unattended Wireless Sensor Networks
Unattended Wireless Sensor Networks (UWSNs) operating in hostile environments face great security and performance challenges due to the lack of continuous real-time communication with the final data receivers (e.g., mobile data collectors). The lack of ...
Comments