000000324 001__ 324
000000324 005__ 20180425223508.0
000000324 037__ $$aLERSSE-RefConfPaper-2018-002
000000324 100__ $$aIldar Muslukhov
000000324 245__ $$aSource Attribution of Cryptographic API Misuse in Android Applications
000000324 260__ $$c2018-06-04
000000324 300__ $$a12
000000324 520__ $$aRecent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.
000000324 6531_ $$aStatic Analysis
000000324 6531_ $$aSource Attribution
000000324 6531_ $$aAndroid
000000324 6531_ $$aCryptography APIs
000000324 6531_ $$aApplied Cryptography
000000324 700__ $$aYazan Boshmaf
000000324 700__ $$aKonstantin Beznosov
000000324 8560_ $$flersse-it@ece.ubc.ca
000000324 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/324/files/binsight-asiaccs-2018.pdf
000000324 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/324/files/binsight-asiaccs-2018.pdf?subformat=pdfa$$xpdfa
000000324 909C4 $$pIldar Muslukhov, Yazan Boshmaf, Konstantin Beznosov. Source Attribution of Cryptographic API Misuse in Android Applications. Proceedings of the 13th ACM ASIA Conference on Information, Computer and Communications Security (ACM ASIACCS '18), 2018.
000000324 980__ $$aRefConfPaper