research-article

An empirical study of cryptographic misuse in android applications

Authors:

Yanick Fratantonio,

Christopher KruegelAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 73 - 84

https://doi.org/10.1145/2508859.2516693

Published: 04 November 2013 Publication History

Abstract

Developers use cryptographic APIs in Android with the intent of securing data such as passwords and personal information on mobile devices. In this paper, we ask whether developers use the cryptographic APIs in a fashion that provides typical cryptographic notions of security, e.g., IND-CPA security. We develop program analysis techniques to automatically check programs on the Google Play marketplace, and find that 10.327 out of 11,748 applications that use cryptographic APIs -- 88% overall -- make at least one mistake. These numbers show that applications do not use cryptographic APIs in a fashion that maximizes overall security. We then suggest specific remediations based on our analysis towards improving overall cryptographic security in Android applications.

References

[1]

The legion of the bouncy castle. http://bouncycastle.org/, 2013.

[2]

M. Abadi and B. Warinschi. Password-Based Encryption Analyzed. In Proceedings of the international colloquium of Automata, Languages and Programming, pages 664--676. Springer, 2005.

Digital Library

[3]

I. Apple. iOS Security Contents, 2012.

[4]

M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: Provably Fixing the SSH Binary Packet Protocol. In Proceedings of the 9th ACM conference on Computer and communications security, pages 1--11, 2002.

Digital Library

[5]

M. Bellare, T. Ristenpart, and S. Tessaro. Multi-instance Security and Its Application to Password-Based Cryptography. In Proceedings of the 32nd Annual Cryptology Conference, pages 312{329. Springer, 2012.

[6]

M. Bellare and P. Rogaway. Course notes for introduction to modern cryptography. cseweb.ucsd.edu/users/mihir/cse207/classnotes.html.

[7]

K. Bhargavan, C. Fournet, R. Corin, and E. Zalinescu. Cryptographically verified implementations for TLS. In Proceedings of the 15th ACM conference on computer and Communications security, pages 459--468, 2008.

Digital Library

[8]

H. Chen and D. Wagner. MOPS: An Infrastructure for Examining Security Properties of Software. In Proceedings of the 9th ACM conference on Computer and communications security, pages 235--244, 2002.

Digital Library

[9]

S. Clark and T. Goodspeed. Why (special agent) Johnny (still) can't encrypt: a security analysis of the APCO project 25 two-way radio system. In Proceedings of the 20th USENIX Security Symposium, 2011.

Digital Library

[10]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, Oct. 1991.

Digital Library

[11]

J. Dean, D. Grove, and C. Chambers. Optimization of object-oriented programs using static class hierarchy analysis. In Proceedings of the 9th European Conference on Object-Oriented Programming, pages 77--101. Springer, 1995.

Digital Library

[12]

A. Desnos. Androguard: Reverse engineering, malware and goodware analysis of android applications ... and more (ninja !). http://code.google.com/p/androguard/.

[13]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, 2010.

Digital Library

[14]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on computer and Communications security, pages 235--245, 2009.

Digital Library

[15]

S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, and B. Freisleben. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 19th ACM conference on Computer and communications security, pages 50--61, 2012.

Digital Library

[16]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638, 2011.

Digital Library

[17]

J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth. Slicing droids: program slicing for smali code. In In Proceedings of the 28th ACM Symposium on Applied Computing, 2013.

Digital Library

[18]

S. C. Johnson. Lint, a C Program Checker. Technical report, 1978.

[19]

B. Kaliski. PKCS #5: Password-based cryptography specification version 2.0. http://tools.ietf.org/html/rfc2898.

Digital Library

[20]

A. Klyubin. Some SecureRandom thoughts. http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html, 2013.

[21]

D. Larochelle and D. Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 177--190, 2001.

Digital Library

[22]

J. C. Mitchell, M. Mitchell, and U. Stern. Automated Analysis of Cryptographic Protocols Using Murphi. In Proceedings of the IEEE Symposium on Security and Privacy, pages 141--151, 1997.

Digital Library

[23]

B. Moeller. TLS insecurity (attack on CBC). http://www.openssl.org/~bodo/tls-cbc.txt, 2001.

[24]

M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332, 2010.

Digital Library

[25]

P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. AdDroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, 2012.

Digital Library

[26]

T. Vidas, D. Votipka, and N. Christin. All Your Droid Are Belong To Us: A Survey of Current Android Attacks. In Proceedings of the 5th USENIX Workshop on Offensive Technologies, 2011.

Digital Library

[27]

M. Weiser. Program Slicing. In Proceedings of the 5th international conference on Software engineering, pages 439--449, 1981.

Digital Library

[28]

A. Whitten and J. Tygar. Why Johnny Can't Encrypt : A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999.

Digital Library

[29]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, 2012.

Cited By

Yang SHou QLi SXu FDiao W(2025)From guidelines to practice: assessing Android app developer compliance with google’s security recommendationsEmpirical Software Engineering10.1007/s10664-024-10559-030:1Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1007/s10664-024-10559-0
Busch MMao PPayer MBalzarotti DXu W(2024)GlobalConfusionProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699210(5537-5554)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699210
Busch MMao PPayer MBalzarotti DXu W(2024)Spill the TeAProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699184(5071-5088)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699184
Show More Cited By

Index Terms

An empirical study of cryptographic misuse in android applications
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Software management
        Software maintenance
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues

Recommendations

Source Attribution of Cryptographic API Misuse in Android Applications
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or ...
Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications
DASC '14: Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing

Cryptographic misuse affects a sizeable portion of Android applications. However, there is only an empirical study that has been made about this problem. In this paper, we perform a systematic analysis on the cryptographic misuse, build the ...
An empirical study of SMS one-time password authentication in Android apps
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

295
Total Citations
View Citations
3,146
Total Downloads

Downloads (Last 12 months)174
Downloads (Last 6 weeks)17

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yang SHou QLi SXu FDiao W(2025)From guidelines to practice: assessing Android app developer compliance with google’s security recommendationsEmpirical Software Engineering10.1007/s10664-024-10559-030:1Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1007/s10664-024-10559-0
Busch MMao PPayer MBalzarotti DXu W(2024)GlobalConfusionProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699210(5537-5554)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699210
Busch MMao PPayer MBalzarotti DXu W(2024)Spill the TeAProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699184(5071-5088)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699184
Seymour WAbdi NRamokapane KEdu JSuarez-Tangil GSuch JBalzarotti DXu W(2024)Voice app developer experiences with alexa and google assistantProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699182(5035-5052)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699182
Wen HStephens JChen YFerles KPailoor SCharbonnet KDillig IFeng YBalzarotti DXu W(2024)Practical security analysis of zero-knowledge proof circuitsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698983(1471-1487)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698983
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Wang JGuo SDiao WLiu YDuan HLiu YLiang Z(2024)CrypTody: Cryptographic Misuse Analysis of IoT Firmware via Data-flow ReasoningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678914(579-593)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678914
Knockel JWang MReichert ZLuo BLiao XXu JKirda ELie D(2024)The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690302(1701-1715)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690302
Li CZhang JTang YLi ZSun TSpinellis DConstantinou EBacchelli A(2024)Boosting API Misuse Detection via Integrating API Constraints from Multiple SourcesProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644904(14-26)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644904
Schlichtig MRoychoudhury APaiva AAbreu RStorey M(2024)Building a Framework to Improve the User Experience of Static Analysis ToolsProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639813(165-169)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3639813
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents