silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,159
Only 18 of 306 app developers replied to the research team, only 8 engaged with the team after the first email.
A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way.
Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019.
Researchers say the tool, which checked for 26 basic cryptography rules (see table below), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.
The top three most broken rules were:
These are basic rules that any cryptographer knows very well, but rules that some app developers might not be aware of without having studied app security (AppSec) or advanced cryptography prior to entering the app development space. [...]
- Rule #18 - 1,775 apps - Don't use an unsafe PRNG (pseudorandom number generator)
- Rule #1 - 1,764 apps - Don't use broken hash functions (SHA1, MD2, MD5, etc.)
- Rule #4 - 1,076 apps - Don't use the operation mode CBC (client/server scenarios)
Additional details about the team's research are available in a pre-print named "CRYLOGGER: Detecting Crypto Misuses Dynamically" (PDF), set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021.