论文信息 - sPECTRA: A precise framEwork for analyzing CrypTographic vulneRabilities in Android apps

sPECTRA: A precise framEwork for analyzing CrypTographic vulneRabilities in Android apps

The majority of Android applications (apps) deals with user's personal data. Users trust these apps and allow them to access all sensitive data. Cryptography, when employed in an appropriate way, can be used to prevent misuse of data. Unfortunately, cryptographic libraries also include vulnerable cryptographic services. Since Android app developers may not be cryptographic experts, this makes apps become the target of various attacks due to cryptographic vulnerabilities. In this work, we present sPECTRA: an automated framework for analyzing wide range of cryptographic vulnerabilities in Android apps at large scale. sPECTRA is more precise and accurate in comparison to state-of-the-art approaches as it reduces both false negatives and false positives. The inclusion of Intelligent UI exploration during dynamic analysis makes sPECTRA deployable to analyze apps at large scale. Moreover, sPECTRA works on apk files without the need of any source code. We evaluate sPECTRA on 7,000 apps collected from 7 most popular Android app stores. Results indicate that 90% of apps are exploitable because of cryptographic vulnerabilities. We made sPECTRA available as an open source1.

[1] Morris J. Dworkin,et al. Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[2] Elaine B. Barker,et al. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[3] Andrey Bogdanov,et al. Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[4] MITHYS: Mind The Hand You Shake - Protecting mobile devices from SSL usage vulnerabilities , 2013, STM.

[5] Mayur Naik,et al. Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[6] David Brumley,et al. An empirical study of cryptographic misuse in android applications , 2013, CCS.

[7] William Enck,et al. AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[8] Iulian Neamtiu,et al. Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[9] Thomas Schreck,et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques , 2015, International Journal of Information Security.

[10] Guo Tao,et al. Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications , 2014, DASC.

[11] Latifur Khan,et al. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[12] Mira Mezini,et al. Towards secure integration of cryptographic software , 2015, Onward!.