Bugs detected in 306 popular Android apps.

Emmanuel

Administrator
Staff member
May 11, 2020
141
28
84
Only 18 of 306 app developers replied to the research team, only 8 engaged with the team after the first email.
A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way.

Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019.

Researchers say the tool, which checked for 26 basic cryptography rules (see table below), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

The top three most broken rules were:

  • Rule #18 - 1,775 apps - Don't use an unsafe PRNG (pseudorandom number generator)
  • Rule #1 - 1,764 apps - Don't use broken hash functions (SHA1, MD2, MD5, etc.)
  • Rule #4 - 1,076 apps - Don't use the operation mode CBC (client/server scenarios)
These are basic rules that any cryptographer knows very well, but rules that some app developers might not be aware of without having studied app security (AppSec) or advanced cryptography prior to entering the app development space.

crylogger-rules.png


Image: Piccolboni et al.ONLY 18 OF 306 APP DEVELOPERS REPLIED TO THE RESEARCH TEAM

The Columbia University academics said that after they tested the apps, they also contacted all the developers of the 306 Android applications found to be vulnerable.

"All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million," the research team said. "Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings."

While some crypto bugs were in an application's code, some common bugs were also being introduced as part of Java libraries used as part of the apps.

The researchers say they also contacted the developers of 6 popular Android libraries, but just like before, they only received answers from 2 of them.

Since none of the developers fixed their apps and libraries, researchers refrained from publishing the names of the vulnerable apps and libraries, citing possible exploitation attempts against the apps' users.

A COMPLEMENTARY TOOL TO CRYPTOGUARD
All in all, the research team believes they've built a powerful tool that can be reliably used by Android developers as a complementary utility to
Please, Log in or Register to view URLs content!
.

The two tools are complementary because CryptoGuard is a static analyzer (analyzes source code before being executed), while CRYLOGGER is a dynamic analysis tool (analyzes code while it's being executed). Since the two work on different levels, academics believe both could be used to detect cryptography-related bus in Android apps before app code hits user devices.

Just like CryptoGuard, CRYLOGGER's code is also available
Please, Log in or Register to view URLs content!
.