TY - GEN
T1 - Source attribution of cryptographic API misuse in android applications
AU - Muslukhov, Ildar
AU - Boshmaf, Yazan
AU - Beznosov, Konstantin
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/5/29
Y1 - 2018/5/29
N2 - Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.
AB - Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.
KW - Android
KW - Applied Cryptography
KW - Cryptography APIs
KW - Source Attribution
KW - Static Analysis
UR - http://www.scopus.com/inward/record.url?scp=85049177050&partnerID=8YFLogxK
U2 - 10.1145/3196494.3196538
DO - 10.1145/3196494.3196538
M3 - Conference contribution
AN - SCOPUS:85049177050
T3 - ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
SP - 133
EP - 146
BT - ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
T2 - 13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018
Y2 - 4 June 2018 through 8 June 2018
ER -