Developers use cryptographic APIs in Android with the intent of securing data such as passwords and personal information on mobile devices. In this paper, we ask whether developers use the cryptographic APIs in a fashion that provides typical cryptographic notions of security, e.g., IND-CPA security. We develop program analysis techniques to automatically check programs on the Google Play marketplace, and find that 10.327 out of 11,748 applications that use cryptographic APIs -- 88% overall -- make at least one mistake. These numbers show that applications do not use cryptographic APIs in a fashion that maximizes overall security. We then suggest specific remediations based on our analysis towards improving overall cryptographic security in Android applications.
@inproceedings{Egele2015An_Empirical,
title = {{An Empirical Study of Cryptographic Misuse in Android Applications}},
author = {Egele, Manuel and Brumley, David and Fratantonio, Yanick and Kruegel, Christopher},
booktitle = {Proceedings of the 2013 ACM SIGSAC Conference on Computer \& Communications Security},
series = {CCS '13},
year = {2013},
address = {New York, NY, USA},
doi = {10.1145/2508859.2516693},
isbn = {978-1-4503-2477-9},
pages = {73--84},
publisher = {ACM},
url = {https://doi.org/10.1145/2508859.2516693}
}