Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications

Shao, Shuai; Dong, Guowei; Guo, Tong; Yang, Ting; Chenjie, Shi

doi:10.1109/dasc.2014.22

Cited by 59 publications

(31 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Besides the four aforementioned concerns, state-of-the-art works have also targeted less hot topics, often about highly specific issues. More representatively, works such as CryptoLint [33] and CMA [34] have leveraged static analysis to identify cryptography implementation problems in Android apps. Researchers have also extended the Julia [4] static analyzer to perform formal analyses of Android programs.…”

Section: Purposes Of the Analysesmentioning

confidence: 99%

Static analysis of android apps: A systematic literature review

Bissyand

Papadakis

et al. 2017

Information and Software Technology

285

178

View full text Add to dashboard Cite

Context: Static analysis approaches have been proposed to assess the security of Android apps, by searching for known vulnerabilities or actual malicious code. The literature thus has proposed a large body of works, each of which attempts to tackle one or more of the several challenges that program analyzers face when dealing with Android apps.Objective: We aim to provide a clear view of the state-of-the-art works that statically analyze Android apps, from which we highlight the trends of static analysis approaches, pinpoint where the focus has been put and enumerate the key aspects where future researches are still needed.Method: We have performed a systematic literature review which involves studying around 90 research papers published in software engineering, programming languages and security venues. This review is performed mainly in five dimensions: problems targeted by the approach, fundamental techniques used by authors, static analysis sensitivities considered, android characteristics taken into account and the scale of evaluation performed.Results: Our in-depth examination have led to several key findings: 1) Static analysis is largely performed to uncover security and privacy issues; 2) The Soot framework and the Jimple intermediate representation are the most adopted basic support tool and format, respectively; 3) Taint analysis remains the most applied technique in research approaches; 4) Most approaches support several analysis sensitivities, but very few approaches consider path-sensitivity; 5) There is no single work that has been proposed to tackle all challenges of static analysis that are related to Android programming; and 6) Only a small portion of state-of-the-art works have made their artifacts publicly available.Conclusion: The research community is still facing a number of challenges for building approaches that are aware altogether of implicit-Flows, dynamic code loading features, reflective calls, native code and multi-threading, in order to implement sound and highly precise static analyzers.

show abstract

Section: Purposes Of the Analysesmentioning

confidence: 99%

Static analysis of android apps: A systematic literature review

Bissyand

Papadakis

et al. 2017

Information and Software Technology

285

178

View full text Add to dashboard Cite

show abstract

“…The most recent work in this field of study is that realized by Shuai et al [24]. In their study, the authors initially define specific models of cryptographic misuse, in which they are based so as to build a tool of auto detection (CMA).…”

Section: Related Workmentioning

confidence: 99%

Evaluation of Cryptography Usage in Android Applications

Chatzikonstantinou¹,

Ntantogian²,

Καρόπουλος³

et al. 2016

Proceedings of the 9th EAI International Conference on Bio-Inspired Information and Communications Technologies (Formerly BIONE

View full text Add to dashboard Cite

Mobile application developers are using cryptography in their products to protect sensitive data like passwords, short messages, documents etc. In this paper, we study whether cryptography and related techniques are employed in a proper way, in order to protect these private data. To this end, we downloaded 49 Android applications from the Google Play marketplace and performed static and dynamic analysis in an attempt to detect possible cryptographic misuses. The results showed that 87.8% of the applications present some kind of misuse, while for the rest of them no cryptography usage was detected during the analysis. Finally, we suggest countermeasures, mainly intended for developers, to alleviate the issues identified by the analysis.

show abstract

“…Hybrid Analysis CMA uses hybrid approach for analysis [27]. However, the approach relies on manual analysis which limits it's scalability for large app stores.…”

Section: Discussionmentioning

confidence: 99%

sPECTRA: A precise framEwork for analyzing CrypTographic vulneRabilities in Android apps

Gajrani

Tripathi

Laxmi

et al. 2017

2017 14th IEEE Annual Consumer Communications &Amp; Networking Conference (CCNC)

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract-The majority of Android applications (apps) deals with user's personal data. Users trust these apps and allow them to access all sensitive data. Cryptography, when employed in an appropriate way, can be used to prevent misuse of data. Unfortunately, cryptographic libraries also include vulnerable cryptographic services. Since Android app developers may not be cryptographic experts, this makes apps become the target of various attacks due to cryptographic vulnerabilities. Permanent repository linkIn this work, we present sPECTRA: an automated framework for analyzing wide range of cryptographic vulnerabilities in Android apps at large scale. sPECTRA is more precise and accurate in comparison to state-of-the-art approaches as it reduces both false negatives and false positives. The inclusion of Intelligent UI exploration during dynamic analysis makes sPECTRA deployable to analyze apps at large scale. Moreover, sPECTRA works on apk files without the need of any source code.We evaluate sPECTRA on 7,000 apps collected from 7 most popular Android app stores. Results indicate that 90% of apps are exploitable because of cryptographic vulnerabilities. We made sPECTRA available as an open source 1 .

show abstract

Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications

Cited by 59 publications

References 9 publications

Static analysis of android apps: A systematic literature review

Static analysis of android apps: A systematic literature review

Evaluation of Cryptography Usage in Android Applications

sPECTRA: A precise framEwork for analyzing CrypTographic vulneRabilities in Android apps

Contact Info

Product

Resources

About