Negative Results on Mining Crypto-API Usage Rules in Android Apps

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that "developers update API usage instances to fix misuses", we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

[1]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[2]  Julia L. Lawall,et al.  Diagnosys: automatic generation of a debugging interface to the Linux kernel , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[3]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[4]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[5]  Julia L. Lawall,et al.  WYSIWIB: A declarative approach to finding API protocols and bugs in Linux code , 2009, DSN.

[6]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[7]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[8]  Miryung Kim,et al.  An Empirical Study of API Stability and Adoption in the Android Ecosystem , 2013, 2013 IEEE International Conference on Software Maintenance.

[9]  Petar Tsankov,et al.  Inferring crypto API rules from code changes , 2018, PLDI.

[10]  Jacques Klein,et al.  On vulnerability evolution in Android apps , 2018, ICSE.

[11]  Jacques Klein,et al.  Accessing Inaccessible Android APIs: An Empirical Study , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[12]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[13]  Mario Linares Vásquez,et al.  Mining Android App Usages for Generating Actionable GUI-Based Execution Scenarios , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[14]  Mario Linares Vásquez,et al.  ChangeScribe: A Tool for Automatically Generating Commit Messages , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[15]  Mira Mezini,et al.  CogniCrypt: Supporting developers in using cryptography , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Gabriele Bavota,et al.  Mining energy-greedy API usage patterns in Android apps: an empirical study , 2014, MSR 2014.

[17]  Alessandra Gorla,et al.  How Do Apps Evolve in Their Permission Requests? A Preliminary Study , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[18]  Christoforos Ntantogian,et al.  Evaluation of Cryptography Usage in Android Applications , 2015, EAI Endorsed Trans. Security Safety.

[19]  Robert H. Deng,et al.  CDRep: Automatic Repair of Cryptographic Misuses in Android Applications , 2016, AsiaCCS.

[20]  Veelasha Moonsamy,et al.  Mining permission patterns for contrasting clean and malicious android applications , 2014, Future Gener. Comput. Syst..

[21]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[22]  Jacques Klein,et al.  Impact of tool support in patch construction , 2017, ISSTA.

[23]  Zhenmin Li,et al.  PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code , 2005, ESEC/FSE-13.

[24]  Mira Mezini,et al.  CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs , 2019 .

[25]  Ivan Martinovic,et al.  To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution , 2017, AsiaCCS.

[26]  Massimiliano Di Penta,et al.  Mining Android Apps to Recommend Permissions , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).