An empirical study of cryptographic misuse in Android applications

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 73-83

  Egele, Manuel ^a   Brumley, David ^a   Fratantonio, Yanick ^b   Kruegel, Christopher ^b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

program analysis; software security

Indexed keywords

ANDROID APPLICATIONS; CRYPTOGRAPHIC SECURITY; EMPIRICAL STUDIES; GOOGLE PLAYS; PERSONAL INFORMATION; PROGRAM ANALYSIS; SOFTWARE SECURITY;

APPLICATION PROGRAMS; CRYPTOGRAPHY; MOBILE DEVICES;

SECURITY OF DATA;

EID: 84889010243     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516693     Document Type: Conference Paper

References (29)

1. The legion of the bouncy castle. http://bouncycastle.org/, 2013.
2. M. Abadi and B. Warinschi. Password-Based Encryption Analyzed. In Proceedings of the international colloquium of Automata, Languages and Programming, pages 664-676. Springer, 2005.
3. I. Apple. iOS Security Contents, 2012.
4. M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: Provably Fixing the SSH Binary Packet Protocol. In Proceedings of the 9th ACM conference on Computer and communications security, pages 1-11, 2002.
5. M. Bellare, T. Ristenpart, and S. Tessaro. Multi-instance Security and Its Application to Password-Based Cryptography. In Proceedings of the 32nd Annual Cryptology Conference, pages 312-329. Springer, 2012.
6. M. Bellare and P. Rogaway. Course notes for introduction to modern cryptography. cseweb.ucsd.edu/users/mihir/cse207/classnotes.html.
7. K. Bhargavan, C. Fournet, R. Corin, and E. Zalinescu. Cryptographically verified implementations for TLS. In Proceedings of the 15th ACM conference on computer and Communications security, pages 459-468, 2008.
8. H. Chen and D. Wagner. MOPS: An Infrastructure for Examining Security Properties of Software. In Proceedings of the 9th ACM conference on Computer and communications security, pages 235-244, 2002.
9. S. Clark and T. Goodspeed. Why (special agent) Johnny (still) can't encrypt: a security analysis of the APCO project 25 two-way radio system. In Proceedings of the 20th USENIX Security Symposium, 2011.
10. R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. ACM Transactions on Programming Languages and Systems, 13(4):451-490, Oct. 1991.
11. J. Dean, D. Grove, and C. Chambers. Optimization of object-oriented programs using static class hierarchy analysis. In Proceedings of the 9th European Conference on Object-Oriented Programming, pages 77-101. Springer, 1995.
12. A. Desnos. Androguard: Reverse engineering, malware and goodware analysis of android applications ... and more (ninja !). http://code.google.com/p/ androguard/.
13. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, 2010.
14. W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on computer and Communications security, pages 235-245, 2009.
15. S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 19th ACM conference on Computer and communications security, pages 50-61, 2012.
16. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627-638, 2011.
17. J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth. Slicing droids: program slicing for smali code. In In Proceedings of the 28th ACM Symposium on Applied Computing, 2013.
18. S. C. Johnson. Lint, a C Program Checker. Technical report, 1978.
19. B. Kaliski. PKCS #5: Password-based cryptography specification version 2.0. http://tools.ietf.org/html/rfc2898.
20. A. Klyubin. Some SecureRandom thoughts. http://android-developers. blogspot.co.uk/2013/08/some-securerandom-thoughts.html, 2013.
21. D. Larochelle and D. Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 177-190, 2001.
22. J. C. Mitchell, M. Mitchell, and U. Stern. Automated Analysis of Cryptographic Protocols Using Murphi. In Proceedings of the IEEE Symposium on Security and Privacy, pages 141-151, 1997.
23. B. Moeller. TLS insecurity (attack on CBC). http://www.openssl.org/~bodo/ tls-cbc.txt, 2001.
24. M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328-332, 2010.
25. P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. AdDroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, 2012.
26. T. Vidas, D. Votipka, and N. Christin. All Your Droid Are Belong To Us: A Survey of Current Android Attacks. In Proceedings of the 5th USENIX Workshop on Offensive Technologies, 2011.
27. M. Weiser. Program Slicing. In Proceedings of the 5th international conference on Software engineering, pages 439-449, 1981.
28. A. Whitten and J. Tygar. Why Johnny Can't Encrypt : A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999.
29. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, 2012.