NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries

The use of native code (ARM binary code) libraries in Android apps greatly promotes the execution performance of frequently used algorithms. Nonetheless, it increases the complexity of app assessment since the binary code analysis is often sophisticated and time-consuming. As a result, many defects still exist in native code libraries and potentially threat the security of users. To assess the native code libraries, current researches mainly focus on the API invoking correctness and less dive into the details of code. Hence, flaws may hide in internal implementation when the analysis of API does not discover them effectively.

The assessment of native code requires a more detailed code comprehension process to pinpoint flaws. In response, we design and implement NativeSpeaker, an Android native code analysis system to assess native code libraries. NativeSpeaker provides not only the capability of recognizing certain pattern related to security flaws, but also the functionality of discovering and comparing native code libraries among a large-scale collection of apps from non-official Android markets. With the help of NativeSpeaker, we analyzed 20,353 dynamic libraries (.so) collected from 20,000 apps in non-official Android markets. Particularly, our assessment focuses on searching crypto misuse related insecure code pattern in those libraries. The analyzing results show even for those most frequently used (top 1%) native code libraries, one third of them contain at least one misuse. Furthermore, our observation indicates the misuse of crypto is often related to insecure data communication: about 25% most frequently used native code libraries suffer from this flaw. Our conducted analysis revealed the necessity of in-depth security assessment against popular native code libraries, and proved the effectiveness of the designed NativeSpeaker system.