A Comparative Study of Misapplied Crypto in Android and iOS Applications

被引:4
作者
Feichtner, Johannes [1 ,2 ]
机构
[1] Graz Univ Technol, Inst Appl Informat Proc & Commun IAIK, Graz, Austria
[2] Secure Informat Technol Ctr Austria A SIT, Vienna, Austria
来源
PROCEEDINGS OF THE 16TH INTERNATIONAL JOINT CONFERENCE ON E-BUSINESS AND TELECOMMUNICATIONS, VOL 2: SECRYPT | 2019年
关键词
Static Analysis; Slicing; Android; iOS; Cryptography; Application Security;
D O I
10.5220/0007915300960108
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.
引用
收藏
页码:96 / 108
页数:13
相关论文
共 20 条
  • [1] Comparing the Usability of Cryptographic APIs
    Acar, Yasemin
    Backes, Michael
    Fahl, Sascha
    Garfinkel, Simson
    Kim, Doowon
    Mazurek, Michelle L.
    Stransky, Christian
    [J]. 2017 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), 2017, : 154 - 171
  • [2] [Anonymous], 2017, P 38 IEEE S SEC PRIV
  • [3] Arzt S, 2014, ACM SIGPLAN NOTICES, V49, P259, DOI [10.1145/2666356.2594299, 10.1145/2594291.2594299]
  • [4] Pozzolanicity of Calcined Clay
    Chatterjee, Anjan K.
    [J]. CALCINED CLAYS FOR SUSTAINABLE CONCRETE, 2015, 10 : 83 - 89
  • [5] iRiS: Vetting Private API Abuse in iOS Applications
    Deng, Zhui
    Saltaformaggio, Brendan
    Zhang, Xiangyu
    Xu, Dongyan
    [J]. CCS'15: PROCEEDINGS OF THE 22ND ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2015, : 44 - 56
  • [6] Egele M, 2013, P 2013 ACM SIGSAC C, P73, DOI DOI 10.1145/2508859.2516693
  • [7] Enck William., 2010, Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), P393
  • [8] Automated Binary Analysis on iOS - A Case Study on Cryptographic Misuse in iOS Applications
    Feichtner, Johannes
    Missmann, David
    Spreitzer, Raphael
    [J]. WISEC'18: PROCEEDINGS OF THE 11TH ACM CONFERENCE ON SECURITY & PRIVACY IN WIRELESS AND MOBILE NETWORKS, 2018, : 236 - 247
  • [9] Lazar David, 2014, P 5 AS PAC WORKSH SY, P1, DOI [10.1145/2637166.2637237, DOI 10.1145/2637166.2637237]
  • [10] IccTA: Detecting Inter-Component Privacy Leaks in Android Apps
    Li, Li
    Bartel, Alexandre
    Bissyande, Tegawende F.
    Klein, Jacques
    Le Traon, Yves
    Arzt, Steven
    Rasthofer, Siegfried
    Bodden, Eric
    Octeau, Damien
    McDaniel, Patrick
    [J]. 2015 IEEE/ACM 37TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, VOL 1, 2015, : 280 - 291