Embed Size (px)
DESCRIPTION
Study about
Citation preview
CRYPTOGRAPHIC MISUSEIN ANDROID APPLICATIONS
By AASHISH R
USN : 1PI11CS002
INTRODUCTION
To secure data – developers use MAC and block ciphers.
Right way – security guarantees , wrong way – HACKING !!!!!!!!!
Focus on how to use cypto API’s in a crypto correct fashion.
Focus on android platform
- WHY ?
SMART PHONES store user passwords, location, and social network data.
- HOW ?
Android is closely related to Java, andJava's cryptographic API is stable.
- WHAT ?
Android applications allows us to perform our analysis on a large dataset.
Tools available to check flaws in market
Microsoft Crypto Verification Kit.
Mur.
Verification based approach.
Main advantage of verification-based approaches is that they provide strong
guarantees.
Heavyweight, require significant expertise, and require manual
effort
. Inappropriate for large-scale experiments.
. Not much use to Developers who are not cryptographers.
CRYPTOLINT
Androguard Android program analysis framework.
Cryp-to-Lint takes a raw Android binary, disassembles it, and checks for typical cryptographic
misuses quickly and accurately.
Who can use this ? – Appropraite for developers, app store operators, and security conscious users.
What the paper is about ?
- Use CRYPTOLINT to perform study on crypto implementations in 11K applications.
- Now that’s a dataset and study crypto lovers will enjoy doing.
CRYPTO IN ANDROID
Who is the virtual robot handling this ? – JCA
CSP registers themselves with Java cryptographic architecture.
What is CSP then ? CSP - Package providing implementations of cryptographic
algorithms.
Who has all cipher algorithms ? – Cipher API of android .
DIG DEEP INTO EXTRACTING GRAPHS
Control graphs of android
1. Target Dalvik byte code , analysis on top of Androguard
2. Androguard disassembles an application into classes ,methods , blocks and
instructions.
3. CryoptoLint attacks now
- Convert lower repr to Intermediate repr.
- 200 dalvik instructions -> 19 similar commands – Intermediate.
- extracts the class hierarchy of all classes ,procedural graphs .
- Converts all methods to SSA(SINGLE Static Assignment ).
4. Static program slicing
TIPS FOR CRYPTO DEVELOPERS
Do not use
1. ECB Mode for encryption
2. Do not use a non-random IV for CBC encryption.
3. Do not use constant encryption keys.
4. Do not use constant salts for PBE.
5. Do not use fewer than 1,000 iterations for PBE.
6. Do not use static seeds to seed
Evaluating CRYPTOLINT
CryptoLint is indeed useful to violations of the specified rules.
Applying CryptoLint on a large number of real-world applications, insight into the prevalence of
the misuse of cryptographic functionality in Android applications.
Analysed each application , its libraries used for cryptography.
Mostly used libraries are –
1. vending - Google License verification library.
2. google/ads - Google Advertising.
3. unity3d- Mobile game engine.
4. apache/james - Internet messaging.
5. openfeint - Social gaming platform.
RESULT of analysis
1
10
100
1000
10000
Number of distinct violated rules
from 1 to 6.
Case studies
Social gaming platform
- Application uses a static key with this encryption scheme
- Social network functionality while at the same time recording all network traces sent
by the application.
Password Managing application – 50,000 downloads
- open source with a publicly available GIT repository warrants a closer analysis.
Best libraries to use by ANDROID crypto developers
- AdMob
- Scoreloop
- Google verification library
LIMITATIONS
Applications that invoke cryptographic primitivesm from native code cannot
be analyzed.
CryptoLint cannot reason about applications that implement cryptographic
primitives ad-hoc.
CryptoLint only detects the use and misuses of those exposed through security
providers, ciphers, and MAC’s.
MITIGATIONS
Semantic contracts in API.
Poor default configurations in APIs .
API documentation.
