Evaluation of Cryptography Usage in Android Applications

Mobile application developers are using cryptography in their products to protect sensitive data like passwords, short messages, documents etc. In this paper, we study whether cryptography and related techniques are employed in a proper way, in order to protect these private data. To this end, we downloaded 49 Android applications from the Google Play marketplace and performed static and dynamic analysis in an attempt to detect possible cryptographic misuses. The results showed that 87.8% of the applications present some kind of misuse, while for the rest of them no cryptography usage was detected during the analysis. Finally, we suggest countermeasures, mainly intended for developers, to alleviate the issues identified by the analysis.

[1]  Juanru Li,et al.  iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications , 2014, NSS.

[2]  Vlastimil Klíma,et al.  Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format , 2003, IACR Cryptol. ePrint Arch..

[3]  Graham Steel,et al.  Efficient Padding Oracle Attacks on Cryptographic Hardware , 2012, IACR Cryptol. ePrint Arch..

[4]  Steve McConnell,et al.  Code complete - a practical handbook of software construction, 2nd Edition , 1993 .

[5]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[6]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[7]  Xi Wang,et al.  Why does cryptographic software fail?: a case study and open problems , 2014, APSys.

[8]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[9]  Thai Duong,et al.  Practical Padding Oracle Attacks , 2010, WOOT.

[10]  Dennis Hofheinz,et al.  Towards Key-Dependent Message Security in the Standard Model , 2008, EUROCRYPT.

[11]  John Viega,et al.  Practical random number generation in software , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[12]  Rahul Kumar Yadav,et al.  Cryptography on Android Message Applications - A Review , 2013 .

[13]  Konstantinos Markantonakis,et al.  Secure and Trusted Application Execution on Embedded Devices , 2015, SECITC.