An Empirical Study of Cryptographic Misuse in Android Applications.

Speaker/Bio

Manuel Egele is an assistant professor of Electrical and Computer Engineering at Boston Univserity. Prior to his appointment at BU, he was a systems scientist at Carnegie Mellon University. Before that he was a post-doctoral researcher at the Computer Security Group of the Department of Computer Science at the University of California, Santa Barbara. He received his M.Sc. (2006) and Ph.D. (2011) degrees in computer science from the University of Technology in Vienna. His research interests span all areas of systems security -- in particular mobile and embedded systems security, privacy, and malicious code analysis.

Abstract

Developers use cryptographic APIs in Android with the intent of securing data such as passwords and personal information on mobile devices. In this paper, we ask whether developers use the cryptographic APIs in a fashion that provides typical cryptographic notions of security, e.g., IND-CPA security. We develop program analysis techniques to automatically check programs on the Google Play marketplace, and find that 10,327 out of 11,748 applications that use cryptographic APIs \x96 88% overall \x96 make at least one mistake. These numbers show that applications do not use cryptographic APIs in a fashion that maximizes overall security.

References

• M Egele, D. Brumley, Y. Frantantonio, and C. Kruegel, "An empirical study of cryptographic misuse in android applications." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013: available here.