Upload
aashish-r
View
143
Download
0
Embed Size (px)
DESCRIPTION
Android developers use less secure cypto API's to develop applications and hackers find it easy to hack into the data.Here is a study about all those development flaws which distinguishes a developer from a cryptographer.Cryptolint is solution to all of it .People are still in terms of using AES,DES algorithms for their encryption decryotion but what they are not realising is people have found ways to crack this.There are security flaws like in password storage applications where all passwords are stored in a normal text file.Cryptolint provides ways to find all these flaws and give remedies for same.
Citation preview
CRYPTOGRAPHIC MISUSE
IN ANDROID APPLICATIONS
By AASHISH R
INTRODUCTION
To secure data – developers use MAC and block ciphers.
Right way – security guarantees , wrong way – HACKING !!!!!!!!!
Focus on how to use cypto API’s in a crypto correct fashion.
Focus on android platform
- WHY ?
SMART PHONES store user passwords, location, and social network data.
- HOW ?
Android is closely related to Java, andJava's cryptographic API is stable.
- WHAT ?
Android applications allows us to perform our analysis on a large dataset.
Tools available to check flaws in market
Microsoft Crypto Verification Kit.
Mur.
Verification based approach.
Main advantage of verification-based approaches is that they provide strong
guarantees.
Heavyweight, require significant expertise, and require manual
effort
. Inappropriate for large-scale experiments.
. Not much use to Developers who are not cryptographers.
CRYPTOLINT
Androguard Android program analysis framework.
Cryp-to-Lint takes a raw Android binary, disassembles it, and checks for typical cryptographic
misuses quickly and accurately.
Who can use this ? – Appropraite for developers, app store operators, and security conscious users.
What the paper is about ?
- Use CRYPTOLINT to perform study on crypto implementations in 11K applications.
- Now that’s a dataset and study crypto lovers will enjoy doing.
CRYPTO IN ANDROID
Who is the virtual robot handling this ? – JCA
CSP registers themselves with Java cryptographic architecture.
What is CSP then ? CSP - Package providing implementations of cryptographic
algorithms.
Who has all cipher algorithms ? – Cipher API of android .
DIG DEEP INTO EXTRACTING GRAPHS
Control graphs of android
1. Target Dalvik byte code , analysis on top of Androguard
2. Androguard disassembles an application into classes ,methods , blocks and
instructions.
3. CryoptoLint attacks now
- Convert lower repr to Intermediate repr.
- 200 dalvik instructions -> 19 similar commands – Intermediate.
- extracts the class hierarchy of all classes ,procedural graphs .
- Converts all methods to SSA(SINGLE Static Assignment ).
4. Static program slicing
TIPS FOR CRYPTO DEVELOPERS
Do not use
1. ECB Mode for encryption
2. Do not use a non-random IV for CBC encryption.
3. Do not use constant encryption keys.
4. Do not use constant salts for PBE.
5. Do not use fewer than 1,000 iterations for PBE.
6. Do not use static seeds to seed
Evaluating CRYPTOLINT
CryptoLint is indeed useful to violations of the specified rules.
Applying CryptoLint on a large number of real-world applications, insight into the prevalence of
the misuse of cryptographic functionality in Android applications.
Analysed each application , its libraries used for cryptography.
Mostly used libraries are –
1. vending - Google License verification library.
2. google/ads - Google Advertising.
3. unity3d- Mobile game engine.
4. apache/james - Internet messaging.
5. openfeint - Social gaming platform.
RESULT of analysis
1
10
100
1000
10000
Number of distinct violated rules
from 1 to 6.
Case studies
Social gaming platform
- Application uses a static key with this encryption scheme
- Social network functionality while at the same time recording all network traces sent
by the application.
Password Managing application – 50,000 downloads
- open source with a publicly available GIT repository warrants a closer analysis.
Best libraries to use by ANDROID crypto developers
- AdMob
- Scoreloop
- Google verification library
LIMITATIONS
Applications that invoke cryptographic primitivesm from native code cannot
be analyzed.
CryptoLint cannot reason about applications that implement cryptographic
primitives ad-hoc.
CryptoLint only detects the use and misuses of those exposed through security
providers, ciphers, and MAC’s.
MITIGATIONS
Semantic contracts in API.
Poor default configurations in APIs .
API documentation.