Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications

Submitted by BrandonB on Mon, 05/04/2015 - 1:30pm

Title	Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications
Publication Type	Conference Paper
Year of Publication	2014
Authors	Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, Shi Chenjie
Conference Name	Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on
Date Published	Aug
Keywords	Analytical models, android, Android (operating system), Android application, Androids, application program interfaces, CMA, cryptographic API, Cryptographic Misuse, cryptographic misuse autodetection, cryptographic misuse vulnerability model, cryptography, Encryption, Humanoid robots, Modelling Analysis, program diagnostics, prototype tool crypto misuse analyser, Runtime, static analysis, Vulnerability
Abstract	Cryptographic misuse affects a sizeable portion of Android applications. However, there is only an empirical study that has been made about this problem. In this paper, we perform a systematic analysis on the cryptographic misuse, build the cryptographic misuse vulnerability model and implement a prototype tool Crypto Misuse Analyser (CMA). The CMA can perform static analysis on Android apps and select the branches that invoke the cryptographic API. Then it runs the app following the target branch and records the cryptographic API calls. At last, the CMA identifies the cryptographic API misuse vulnerabilities from the records based on the pre-defined model. We also analyze dozens of Android apps with the help of CMA and find that more than a half of apps are affected by such vulnerabilities.
DOI	10.1109/DASC.2014.22
Citation Key	6945307

Groups:

Science of Security VO