Source attribution of cryptographic API misuse in android applications

Ildar Muslukhov, Yazan Boshmaf, Konstantin Beznosov

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.

Original languageEnglish
Title of host publicationASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages133-146
Number of pages14
ISBN (Electronic)9781450355766
DOIs
Publication statusPublished - 29 May 2018
Event13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018 - Incheon, Korea, Republic of
Duration: 4 Jun 20188 Jun 2018

Other

Other13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018
CountryKorea, Republic of
CityIncheon
Period4/6/188/6/18

Fingerprint

Application programming interfaces (API)
Cryptography

Keywords

  • Android
  • Applied Cryptography
  • Cryptography APIs
  • Source Attribution
  • Static Analysis

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Information Systems
  • Computer Networks and Communications

Cite this

Muslukhov, I., Boshmaf, Y., & Beznosov, K. (2018). Source attribution of cryptographic API misuse in android applications. In ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security (pp. 133-146). Association for Computing Machinery, Inc. https://doi.org/10.1145/3196494.3196538

Source attribution of cryptographic API misuse in android applications. / Muslukhov, Ildar; Boshmaf, Yazan; Beznosov, Konstantin.

ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2018. p. 133-146.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Muslukhov, I, Boshmaf, Y & Beznosov, K 2018, Source attribution of cryptographic API misuse in android applications. in ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, pp. 133-146, 13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018, Incheon, Korea, Republic of, 4/6/18. https://doi.org/10.1145/3196494.3196538
Muslukhov I, Boshmaf Y, Beznosov K. Source attribution of cryptographic API misuse in android applications. In ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2018. p. 133-146 https://doi.org/10.1145/3196494.3196538
Muslukhov, Ildar ; Boshmaf, Yazan ; Beznosov, Konstantin. / Source attribution of cryptographic API misuse in android applications. ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2018. pp. 133-146
@inproceedings{2ba1b59b3b874c2eaeaae822bf21c316,
title = "Source attribution of cryptographic API misuse in android applications",
abstract = "Recent research suggests that 88{\%} of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90{\%} of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.",
keywords = "Android, Applied Cryptography, Cryptography APIs, Source Attribution, Static Analysis",
author = "Ildar Muslukhov and Yazan Boshmaf and Konstantin Beznosov",
year = "2018",
month = "5",
day = "29",
doi = "10.1145/3196494.3196538",
language = "English",
pages = "133--146",
booktitle = "ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Source attribution of cryptographic API misuse in android applications

AU - Muslukhov, Ildar

AU - Boshmaf, Yazan

AU - Beznosov, Konstantin

PY - 2018/5/29

Y1 - 2018/5/29

N2 - Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.

AB - Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.

KW - Android

KW - Applied Cryptography

KW - Cryptography APIs

KW - Source Attribution

KW - Static Analysis

UR - http://www.scopus.com/inward/record.url?scp=85049177050&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049177050&partnerID=8YFLogxK

U2 - 10.1145/3196494.3196538

DO - 10.1145/3196494.3196538

M3 - Conference contribution

SP - 133

EP - 146

BT - ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

ER -