Academics find crypto bugs in 306 popular Android apps, none get patched

[silversurfer]

Content source

https://www.zdnet.com/article/academics-find-crypto-bugs-in-306-popular-android-apps-none-get-patched/

Only 18 of 306 app developers replied to the research team, only 8 engaged with the team after the first email.

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way.

Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019.
Researchers say the tool, which checked for 26 basic cryptography rules (see table below), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

The top three most broken rules were:

• Rule #18 - 1,775 apps - Don't use an unsafe PRNG (pseudorandom number generator)
• Rule #1 - 1,764 apps - Don't use broken hash functions (SHA1, MD2, MD5, etc.)
• Rule #4 - 1,076 apps - Don't use the operation mode CBC (client/server scenarios)

These are basic rules that any cryptographer knows very well, but rules that some app developers might not be aware of without having studied app security (AppSec) or advanced cryptography prior to entering the app development space. [...]

Additional details about the team's research are available in a pre-print named "CRYLOGGER: Detecting Crypto Misuses Dynamically" (PDF), set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021.

 

[ForgottenSeer 85179]

Another good example why less apps provide more security.
Most apps are only a webview for their own website anyway so using the website is the same.