New tool detects unsafe security practices in Android apps

Android apps use cryptographic algorithms to secure users' data, such as credit card numbers, passwords, social security numbers, etc. If used correctly, cryptography protects sensitive data by making them unintelligible. Each cryptographic algorithm is appropriate for a specific scenario and requires the configuration of specific parameters. App and library developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys, weak passwords, or by misconfiguring other specific parameters.

"Choosing the correct algorithm and configuring its parameters are critical to keep users' data secure, but it requires an understanding of cryptography," says the study's lead author Luca Piccolboni, a Ph.D. student who is advised by Luca Carloni, professor of computer science. "Wrong choices of the algorithms and/or misconfigurations of their parameters can result in data breaches."

CRYLOGGER is the first tool that detects cryptographic misuses by running the app instead of analyzing its code. This new approach is described in a paper that will be presented May 23-27 at IEEE Symposium on Security and Privacy 2021. In addition to Piccolboni and Carloni, the paper is authored by Giuseppe Di Guglielmo, associate research scientist in the computer science department, and Simha Sethumadhavan, associate professor of computer science and an expert in cybersecurity.

CRYLOGGER, which is open source, has several key advantages:

The researchers ran 1,780 popular Android apps downloaded from the official Google Play Store-the largest case study on cryptographic misuses not based on code analysis-and discovered that almost all the apps contained code or used libraries that did not strictly adhere to security standards. Many of them used broken algorithms and others adopted unsafe cryptographic practices to protect users' data.

Each violation does not necessarily mean that an attack is possible. The rule violations should be treated as warnings to be further investigated. Some violations can be false alarms because it is very hard to precisely discriminate in all situations. The researchers contacted more than 300 developers for confirmation, but only 10 provided useful feedback.

"Many developers do not consider attacks such as privilege escalation and side-channel attacks to be possible on phones, and so they store data locally without sufficient safeguards," notes Sethumadhavan.

The team also manually analyzed the code of 28 Android apps and found that some of the violations reported by CRYLOGGER could potentially be exploited. They see two significant applications of CRYLOGGER. Developers can use it to find cryptographic misuses in their apps as well as in the third-party libraries they use. App stores, such as the Google Play Store, can use CRYLOGGER to screen submitted apps to ensure they meet security standards and are safe for final users to download. Google already uses similar screening technologies to get rid of unsafe or scam apps and these could be extended to consider cryptographic misuses.

The researchers are working on improving the accuracy of CRYLOGGER by defining techniques that will further reduce the number of false alarms. They are also using CRYLOGGER to perform inter-app analysis so that it can analyze how apps exchange data and determine if sensitive data are kept secure. In addition, they are putting rule checking for cryptographic misuses into hardware, rather than software, to force applications to use safe practices in critical contexts.

"While we keep working to improve the accuracy of CRYLOGGER, our approach can be used by app stores to promote better security practices," Carloni adds. "And we believe that CRYLOGGER's technique of analyzing thousands of Android applications by running them and collecting information that can be later analyzed offline could also be used in other security domains."

Website search

Recently updated

OneNote Password Recovery Key Crack + Activator Download 2020 OneNote Password Recovery Key Crack + Serial Number A password rҽcovҽry tool that is dҽsignҽd to rҽtriҽvҽ passphrasҽs for MS OnҽNotҽ filҽs by using a combination of various attacқs
P2 Commander Crack + Activator Download P2 Commander Crack With License Key 2020 A rҽliablҽ and ҽffҽctivҽ solution that hҽlps you to pҽrform comprҽhҽnsivҽ digital forҽnsic ҽxaminations and dҽlҽtҽd data rҽcovҽry
MailEnable Enterprise Premium Crack + Activator Download 2020 MailEnable Enterprise Premium Crack + Serial Number A powҽrful ҽmail sҽrvҽr that intҽgratҽs MAPI connҽctor for Outlooқ, mobilҽ connҽctivity, as wҽll as sharing and collaboration options

Software News

Jan 18
Ring's Neighbors app exposed users' home addresses and specific locations before the company became aware of the security issue.
Jan 15
Leaks of Microsoft's Windows 10X for single screen PCs reveal a simplified OS with an emphasis on simplicity.
Jan 15
Any building project requires the formulation of a series of initial plans prior to starting construction to serve as a basis and guide for the whole process. A similar procedure is followed in software development, with ...
Jan 13
I had a few emails from readers asking about the end of Adobe Flash and what they should do about it.
Jan 7
The COVID-19 pandemic has seen hardware developers clamoring to make 'open source' technology to support our frontline services. Their intentions have been honorable-an invitation to teams across the world to collaborate ...
Jan 1
Microsoft hackers tied to a massive intrusion of dozens of U.S. government agencies and private companies sneaked further into its systems than previously thought, although the intrusion doesn't appear to have caused any ...
Dec 22
Professional and college sports have been disrupted by the coronavirus pandemic. But sports played on virtual athletic fields and courts have thrived.

About us

Welcome to new crack resource! Our service can generate cracks, keygens and serials for your software to unlock it. CrackDownloadz provides a lot of popular cracks and keygens. No spyware and adware at all, just download new cracks, keygens and serials. If you have a software that needs a crack feel free to contact us.

Also you may contact us if you have software that needs to be removed from our website.