Source Attribution of Cryptographic API Misuse in Android Applications

Muslukhov, Ildar; Boshmaf, Yazan; Beznosov, Konstantin

doi:10.1145/3196494.3196538

Cited by 31 publications

(33 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…And partial means that for the types of vulnerabilities in Table 7, FlowDroid and the method in Ref. [12] do not detect all cases, and there may be other vulnerability situations. FlowDroid can directly detect partial sensitive data leaks.…”

Section: Detect Other Types Of Security Vulnerabilities By Dynamic Anmentioning

confidence: 99%

See 1 more Smart Citation

A novel hybrid method to analyze security vulnerabilities in Android applications

Tang

Wang

et al. 2020

Tinshhua Sci. Technol.

View full text Add to dashboard Cite

We propose a novel hybrid method to analyze the security vulnerabilities in Android applications. Our method combines static analysis, which consists of metadata and data flow analyses with dynamic analysis, which includes dynamic executable scripts and application program interface hooks. Our hybrid method can effectively analyze nine major categories of important security vulnerabilities in Android applications. We design dynamic executable scripts that record and perform manual operations to customize the execution path of the target application. Our dynamic executable scripts can replace most manual operations, simplify the analysis process, and further verify the corresponding security vulnerabilities. We successfully statically analyze 5547 malwares in Drebin and 10 151 real-world applications. The average analysis time of each application in Drebin is 4.52 s, whereas it reaches 92.02 s for real-word applications. Our system can detect all the labeled vulnerabilities among 56 labeled applications. Further dynamic verification shows that our static analysis accuracy approximates 95% for real-world applications. Experiments show that our dynamic analysis can effectively detect the vulnerability named input unverified, which is difficult to be detected by other methods. In addition, our dynamic analysis can be extended to detect more types of vulnerabilities.

show abstract

Section: Detect Other Types Of Security Vulnerabilities By Dynamic Anmentioning

confidence: 99%

“…The analyzed vulnerability categories in Ref. [12] partially overlap with the "insecure password" vulnerability. The vulnerability categories detected by our system are relatively more comprehensive.…”

Section: Detect Other Types Of Security Vulnerabilities By Dynamic Anmentioning

confidence: 99%

A novel hybrid method to analyze security vulnerabilities in Android applications

Tang

Wang

et al. 2020

Tinshhua Sci. Technol.

View full text Add to dashboard Cite

show abstract

“…Formula (1) indicates that if s1 and s2 belong to different Activities, they correspond to different interface states and the similarity of them is zero. When s1 and s2 belong to the same Activity, the similarity of the corresponding interface state can be calculated based on the widget path set.…”

Section: Interface State Similarity Calculationmentioning

confidence: 99%

“…To protect users' privacy in network communications, the applications can use encryption-based functions and SSL protocols. However, recent research has pointed out that about 88% of Android applications misuse the Java crypto APIs and cause security vulnerabilities [1]. Although the Android SDK implements the SSL protocol (in this paper, SSL means secure sockets layer protocol SSL and transport layer security protocol TLS) to protect communication security, the situation has not been greatly alleviated.…”

Section: Introductionmentioning

confidence: 97%

SSLDetecter: Detecting SSL Security Vulnerabilities of Android Applications Based on a Novel Automatic Traversal Method

Tang

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

Android usually employs the Secure Socket Layer (SSL) protocol to protect the user’s privacy in network transmission. However, developers may misuse SSL-related APIs, which would lead attackers to steal user’s privacy through man-in-the-middle attacks. Existing methods based on static decompiling technology to detect SSL security vulnerabilities of Android applications cannot cope with the increasingly common packed applications. Meanwhile, dynamic analysis approaches have the disadvantages of excessive resource consumption and time-consuming. In this paper, we propose a dynamic method to solve this issue based on our novel automatic traversal model. At first, we propose several new traversal strategies to optimize the widget tree according to the user interface (UI) types and the interface state similarity. Furthermore, we develop a more granular traversal model by refining the traversal level from the Activity component to the Widget and implement a heuristic depth-first traversal algorithm in combination with our customized traversal strategy. In addition, the man-in-the-middle agent plug-in is extended to implement real-time attack test and return the attack results. Based on the above ideas, we have implemented SSLDetecter, an efficient automated detection system of Android application SSL security vulnerability. We apply it on multiple devices in parallel to detect 2456 popular applications in several mainstream application markets and find that 424 applications are suffering from SSL security vulnerabilities. Compared with the existing system SMV-HUNTER, the time efficiency of our system increases by 38% and the average detection rate increases by 6.39 percentage points, with many types of SSL vulnerabilities detected.

show abstract

“…Next, these two classes are used in the "encryptCipher" method to initialize the Java Cipher class, in order to encrypt the PIN of the user using AES in CBC mode (see Figure 3 and 4) and store it in the device. Evidently, since the key and the initialization vector are static, it leads us to the conclusion that the produced ciphertext is deterministic [17] and can be easily decrypted to obtain the user's PIN. As a side note, the latest version released in September 2018, the vulnerabilities described have been fixed.…”

Section: E-banking Applicationmentioning

confidence: 99%

A forensic investigation of Android mobile applications

Kitsaki

Angelogianni

Ntantogian

et al. 2018

Proceedings of the 22nd Pan-Hellenic Conference on Informatics

View full text Add to dashboard Cite

This paper performs a forensic investigation to a set of Android mobile applications aiming at discovering sensitive information related to the owner of the mobile device. These applications were chosen based on the fact that: i) they are very popular on Google Play Store, ii) they handle sensitive personal information, iii) they have not been researched by previous works and iv) they are free to download and install. The three chosen applications belong to the following categories: bank, mobile network carrier and public transport. The evaluation of the security of the applications was performed using two techniques: code and disk analysis, as followed in the literature. Based on our findings we derive the conclusion that these applications despite their criticality have failed to incorporate security techniques to protect user's sensitive data and a forensic analysis can reveal crucial and significant information from a forensics point of view.

show abstract

Source Attribution of Cryptographic API Misuse in Android Applications

Cited by 31 publications

References 16 publications

A novel hybrid method to analyze security vulnerabilities in Android applications

A novel hybrid method to analyze security vulnerabilities in Android applications

SSLDetecter: Detecting SSL Security Vulnerabilities of Android Applications Based on a Novel Automatic Traversal Method

A forensic investigation of Android mobile applications

Contact Info

Product

Resources

About