CRYLOGGER: Detecting Crypto Misuses Dynamically

07/02/2020
by   Luca Piccolboni, et al.
0

Cryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality. Developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys and weak passwords. This paper presents CRYLOGGER, the first open-source tool to detect crypto misuses dynamically. CRYLOGGER logs the parameters that are passed to the crypto APIs during the execution and checks their legitimacy offline by using a list of crypto rules. We compare CRYLOGGER with CryptoGuard, one of the most effective static tools to detect crypto misuses. We show that our tool complements the results of CryptoGuard, making the case for combining static and dynamic approaches. We analyze 1780 popular Android apps downloaded from the Google Play Store to show that CRYLOGGER can detect crypto misuses on thousands of apps dynamically and automatically. We reverse-engineer 28 Android apps and confirm the issues flagged by CRYLOGGER. We also disclose the most critical vulnerabilities to app developers and collect their feedback.

READ FULL TEXT

Authors

page 9

page 10

page 15

page 16

11/02/2021

SOURCERER: Developer-Driven Security Testing Framework for Android Apps

Frequently advised secure development recommendations often fall short i...
06/24/2018

Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities?

Increasing interest to secure Android ecosystem has spawned numerous eff...
01/09/2018

A Large Scale Investigation of Obfuscation Use in Google Play

Android applications are frequently plagiarized or maliciously repackage...
11/16/2021

NatiDroid: Cross-Language Android Permission Specification

The Android system manages access to sensitive APIs by permission enforc...
02/11/2020

Hidden in Plain Sight: Obfuscated Strings Threatening Your Privacy

String obfuscation is an established technique used by proprietary, clos...
09/19/2018

Divide and Conquer: Recovering Contextual Information of Behaviors in Android Apps around Limited-quantity Audit Logs

Android users are now suffering serious threats from various unwanted ap...
11/26/2018

ConsiDroid: A Concolic-based Tool for Detecting SQL Injection Vulnerability in Android Apps

Android is a famous OS among users. Existing vulnerabilities in Android ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.