CryptoEval: Evaluating the risk of cryptographic misuses in Android apps with data‐flow analysis

Cong Sun; Xinpeng Xu; Yafei Wu; Dongrui Zeng; Gang Tan; Siqi Ma; Peicheng Wang

doi:10.1049/ise2.12117

IET Information Security (Jul 2023)

CryptoEval: Evaluating the risk of cryptographic misuses in Android apps with data‐flow analysis

Cong Sun,
Xinpeng Xu,
Yafei Wu,
Dongrui Zeng,
Gang Tan,
Siqi Ma,
Peicheng Wang

Affiliations

Cong Sun: School of Cyber Engineering Xidian University Xian China
Xinpeng Xu: School of Cyber Engineering Xidian University Xian China
Yafei Wu: School of Cyber Engineering Xidian University Xian China
Dongrui Zeng: Palo Alto Networks Santa Clara California USA
Gang Tan: Pennsylvania State University University Park Pennsylvania USA
Siqi Ma: University of New South Wales Canberra Australian Capital Territory Australia
Peicheng Wang: School of Cyber Engineering Xidian University Xian China

DOI: https://doi.org/10.1049/ise2.12117
Journal volume & issue: Vol. 17, no. 4
pp. 582 – 597

Abstract

Read online

Abstract The misunderstanding and incorrect configurations of cryptographic primitives have exposed severe security vulnerabilities to attackers. Due to the pervasiveness and diversity of cryptographic misuses, a comprehensive and accurate understanding of how cryptographic misuses can undermine the security of an Android app is critical to the subsequent mitigation strategies but also challenging. Although various approaches have been proposed to detect cryptographic misuse in Android apps, studies have yet to focus on estimating the security risks of cryptographic misuse. To address this problem, the authors present an extensible framework for deciding the threat level of cryptographic misuse in Android apps. Firstly, the authors propose a general and unified specification for representing cryptographic misuses to make our framework extensible and develop adapters to unify the detection results of the state‐of‐the‐art cryptographic misuse detectors, resulting in an adapter‐based detection tool chain for a more comprehensive list of cryptographic misuses. Secondly, the authors employ a misuse‐originating data‐flow analysis to connect each cryptographic misuse to a set of data‐flow sinks in an app, based on which the authors propose a quantitative data‐flow‐driven metric for assessing the overall risk of the app introduced by cryptographic misuses. To make the per‐app assessment more useful for app vetting at the app‐store level, the authors apply unsupervised learning to predict and classify the top risky threats to guide more efficient subsequent mitigation. In the experiments on an instantiated implementation of the framework, the authors evaluate the accuracy of our detection and the effect of data‐flow‐driven risk assessment of our framework. Our empirical study on over 40,000 apps, and the analysis of popular apps reveal important security observations on the real threats of cryptographic misuse in Android apps.

Published in IET Information Security

ISSN: 1751-8709 (Print); 1751-8717 (Online)
Publisher: Hindawi-IET
Country of publisher: United Kingdom
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Electronics: Computer engineering. Computer hardware; Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: https://www.hindawi.com/journals/ietis/

About the journal

Abstract

Keywords