Source Attribution of Cryptographic API Misuse in Android Applications

Ildar Muslukhov ; Yazan Boshmaf ; Konstantin Beznosov

04 June 2018

Abstract: Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.

Keyword(s): Static Analysis ; Source Attribution ; Android ; Cryptography APIs ; Applied Cryptography

Published in: Ildar Muslukhov, Yazan Boshmaf, Konstantin Beznosov. Source Attribution of Cryptographic API Misuse in Android Applications. Proceedings of the 13th ACM ASIA Conference on Information, Computer and Communications Security (ACM ASIACCS '18), 2018.:

The record appears in these collections:
Refereed Conference Papers

 Record created 2018-04-25, last modified 2018-04-25

Download fulltextPDF Download fulltextPDF (PDFA)
Rate this document:

Rate this document:
(Not yet reviewed)