research-article

Source Attribution of Cryptographic API Misuse in Android Applications

Authors:

Ildar Muslukhov,

Konstantin BeznosovAuthors Info & Claims

ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

Pages 133 - 146

https://doi.org/10.1145/3196494.3196538

Published: 29 May 2018 Publication History

Abstract

Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.

References

[1]

Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic APIs. Proceedings of the 38th IEEE Symposium on Security and Privacy.

[2]

Benjamin Bichsel, Veselin Raychev, Petar Tsankov, and Martin Vechev. 2016. Statistical Deobfuscation of Android Applications. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 343--355.

Digital Library

[3]

David W Binkley and Keith Brian Gallagher. 1996. Program slicing. Advances in Computers Vol. 43 (1996), 1--50.

[4]

Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov. 2015. On the Impact of Touch ID on iPhone Passcodes. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS '15). 20.

[5]

Ron Cytron, Jeanne Ferrante, Barry K Rosen, Mark N Wegman, and F Kenneth Zadeck. 1991. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 13, 4 (1991), 451--490.

Digital Library

[6]

Anthony Desnos and Geoffroy Gueguen. 2011. Android: From reversing to decompilation. Proceedings of Black Hat Abu Dhabi (2011), 77--101.

[7]

Danny Dolev, Cynthia Dwork, and Moni Naor. 1998. Non-malleable cryptography. In SIAM Journal on Computing. Citeseer.

Digital Library

[8]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications Proceedings of the 2013 ACM SIGSAC conference on Computer &communications security. ACM, 73--84.

Digital Library

[9]

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. 2011. A Study of Android Application Security. In USENIX security symposium, Vol. Vol. 2. 2.

Digital Library

[10]

Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumg"artner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in) security Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 50--61.

Digital Library

[11]

Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the Key Scheduling Algorithm of RC4. Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography (SAC '01). Springer-Verlag, London, UK, UK, 1--24. http://dl.acm.org/citation.cfm?id=646557.694759

Digital Library

[12]

B. Kaliski. 2000. PKCS #5: Password-Based Cryptography Specification Version 2.0. (2000).

[13]

Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. 2011. The Soot framework for Java program analysis: a retrospective Cetus Users and Compiler Infastructure Workshop (CETUS 2011), Vol. Vol. 15. 35.

[14]

David Lazar, Haogang Chen, Xi Wang, and Nickolai Zeldovich. 2014. Why Does Cryptographic Software Fail?: A Case Study and Open Problems Proceedings of 5th Asia-Pacific Workshop on Systems (APSys '14). ACM, New York, NY, USA, Article no7, pages7 pages.

Digital Library

[15]

Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. Libradar: Fast and accurate detection of third-party libraries in android apps Proceedings of the 38th International Conference on Software Engineering Companion. ACM, 653--656.

Digital Library

[16]

Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin Beznosov. 2013. Know your enemy: the risk of unauthorized access in smartphones by insiders Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services (MobileHCI '13). ACM, New York, NY, USA, 271--280.

Digital Library

[17]

A. Popov. 2015. RFC7465 - Prohibiting RC4 Cipher Suites. (Feb. 2015). https://tools.ietf.org/html/rfc7465

[18]

Rahul Raguram, Andrew M. White, Dibyendusekhar Goswami, Fabian Monrose, and Jan-Michael Frahm. 2011. iSpy: automatic reconstruction of typed input from compromising reflections Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 527--536.

Digital Library

[19]

Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, and Shi Chenjie. 2014. Modelling analysis and auto-detection of cryptographic misuse in android applications Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on. IEEE, 75--80.

Digital Library

Cited By

Pourali SYu XZhao LMannan MYoussef ABalzarotti DXu W(2024)Racing for TLS certificate validationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698939(683-700)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698939
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Bove D(2024)A Large-Scale Study on the Prevalence and Usage of TEE-based Features on AndroidProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664486(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664486
Show More Cited By

Index Terms

Source Attribution of Cryptographic API Misuse in Android Applications
1. Security and privacy
  1. Formal methods and theory of security
    1. Security requirements
  2. Software and application security
    1. Software security engineering

Recommendations

An empirical study of cryptographic misuse in android applications
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Developers use cryptographic APIs in Android with the intent of securing data such as passwords and personal information on mobile devices. In this paper, we ask whether developers use the cryptographic APIs in a fashion that provides typical ...
Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications
DASC '14: Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing

Cryptographic misuse affects a sizeable portion of Android applications. However, there is only an empirical study that has been made about this problem. In this paper, we perform a systematic analysis on the cryptographic misuse, build the ...
Self-sustaining, efficient and forward-secure cryptographic constructions for Unattended Wireless Sensor Networks

Unattended Wireless Sensor Networks (UWSNs) operating in hostile environments face great security and performance challenges due to the lack of continuous real-time communication with the final data receivers (e.g., mobile data collectors). The lack of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

May 2018

866 pages

ISBN:9781450355766

DOI:10.1145/3196494

General Chairs:
Jong Kim
Pohang University of Science and Technology, South Korea
,
Gail-Joon Ahn
Arizona State University, USA &Samsung Electronics, South Korea
,
Seungjoo Kim
Korea University, South Korea
,
Program Chairs:
Yongdae Kim
KAIST, South Korea
,
Javier Lopez
University of Malaga, Spain
,
Taesoo Kim
Georgia Tech, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '18

Sponsor:

SIGSAC

ASIA CCS '18: ACM Asia Conference on Computer and Communications Security

June 4, 2018

Incheon, Republic of Korea

Acceptance Rates

ASIACCS '18 Paper Acceptance Rate 52 of 310 submissions, 17%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
429
Total Downloads

Downloads (Last 12 months)48
Downloads (Last 6 weeks)5

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pourali SYu XZhao LMannan MYoussef ABalzarotti DXu W(2024)Racing for TLS certificate validationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698939(683-700)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698939
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Bove D(2024)A Large-Scale Study on the Prevalence and Usage of TEE-based Features on AndroidProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664486(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664486
Zhang ZMa HWu DGao DYi XChen YWu YJiang L(2024)MtdScout: Complementing the Identification of Insecure Methods in Android Apps via Source-to-Bytecode Signature Generation and Tree-based Layered Search2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00045(724-740)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00045
Kanaoka AAbe M(2024)Enhanced Analysis of Cryptographic Library Usage Patterns and Trends in Android Applications2024 IEEE Conference on Dependable and Secure Computing (DSC)10.1109/DSC63325.2024.00031(88-93)Online publication date: 6-Nov-2024
https://doi.org/10.1109/DSC63325.2024.00031
Silonosov AHenesey L(2024)Towards cryptographic agility manifesto in end-to-end encryption systems: a position paper from the perspective of crypto-consumers2024 IEEE Conference on Dependable, Autonomic and Secure Computing (DASC)10.1109/DASC64200.2024.00015(65-72)Online publication date: 5-Nov-2024
https://doi.org/10.1109/DASC64200.2024.00015
Baek HLee MKim H(2024)CryptoLLM: Harnessing the Power of LLMs to Detect Cryptographic API MisuseComputer Security – ESORICS 202410.1007/978-3-031-70879-4_18(353-373)Online publication date: 5-Sep-2024
https://doi.org/10.1007/978-3-031-70879-4_18
Wang LWang JSui TKong LZhao Y(2023)Intelligent Detection of Cryptographic Misuse in Android Applications Based on Program Slicing andTransformer-Based ClassifierElectronics10.3390/electronics1211246012:11(2460)Online publication date: 30-May-2023
https://doi.org/10.3390/electronics12112460
Ishii DKanaoka A(2023)Vision: How to Provide Documentation to Non-skilled Developers for Appropriate Use of Cryptography: Action Research Study on Expert MonitoringProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617119(218-223)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617119
Zhang YKabir MXiao YYao DMeng N(2023)Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?IEEE Transactions on Software Engineering10.1109/TSE.2022.315030249:1(288-303)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3150302
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents