This document discusses cryptographic misuse in Android applications. It introduces Cryptolint, a tool that analyzes Android applications to detect typical cryptographic misuses. Cryptolint leverages the Androguard framework to extract control graphs from applications and check for violations of cryptographic best practices. The author analyzes over 11,000 Android applications and finds widespread cryptographic issues, with many applications improperly using static keys or non-random initialization vectors. Case studies of specific applications reveal real-world security vulnerabilities.

1. CRYPTOGRAPHIC MISUSE
IN ANDROID APPLICATIONS
By AASHISH R
USN : 1PI11CS002

2. INTRODUCTION
 To secure data – developers use MAC and block ciphers.
 Right way – security guarantees , wrong way – HACKING !!!!!!!!!
 Focus on how to use cypto API’s in a crypto correct fashion.
 Focus on android platform
- WHY ?
SMART PHONES store user passwords, location, and social network data.
- HOW ?
Android is closely related to Java, andJava's cryptographic API is stable.
- WHAT ?
Android applications allows us to perform our analysis on a large dataset.

3. Tools available to check flaws in market
 Microsoft Crypto Verification Kit.
 Mur.
 Verification based approach.
 Main advantage of verification-based approaches is that they provide strong
guarantees.
 Heavyweight, require significant expertise, and require manual
effort
. Inappropriate for large-scale experiments.
. Not much use to Developers who are not cryptographers.

4. CRYPTOLINT
 Androguard Android program analysis framework.
 Cryp-to-Lint takes a raw Android binary, disassembles it, and checks for typical cryptographic
misuses quickly and accurately.
 Who can use this ? – Appropraite for developers, app store operators, and security conscious users.
 What the paper is about ?
- Use CRYPTOLINT to perform study on crypto implementations in 11K applications.
- Now that’s a dataset and study crypto lovers will enjoy doing.

5. CRYPTO IN ANDROID
 Who is the virtual robot handling this ? – JCA
 CSP registers themselves with Java cryptographic architecture.
 What is CSP then ? CSP - Package providing implementations of cryptographic
algorithms.
 Who has all cipher algorithms ? – Cipher API of android .

6. DIG DEEP INTO EXTRACTING GRAPHS
 Control graphs of android
1. Target Dalvik byte code , analysis on top of Androguard
2. Androguard disassembles an application into classes ,methods , blocks and
instructions.
3. CryoptoLint attacks now
- Convert lower repr to Intermediate repr.
- 200 dalvik instructions -> 19 similar commands – Intermediate.
- extracts the class hierarchy of all classes ,procedural graphs .
- Converts all methods to SSA(SINGLE Static Assignment ).
4. Static program slicing

7. TIPS FOR CRYPTO DEVELOPERS
Do not use
1. ECB Mode for encryption
2. Do not use a non-random IV for CBC encryption.
3. Do not use constant encryption keys.
4. Do not use constant salts for PBE.
5. Do not use fewer than 1,000 iterations for PBE.
6. Do not use static seeds to seed

8. Evaluating CRYPTOLINT
 CryptoLint is indeed useful to violations of the specified rules.
 Applying CryptoLint on a large number of real-world applications, insight into the prevalence of
the misuse of cryptographic functionality in Android applications.
 Analysed each application , its libraries used for cryptography.
 Mostly used libraries are –
1. vending - Google License verification library.
2. google/ads - Google Advertising.
3. unity3d- Mobile game engine.
4. apache/james - Internet messaging.
5. openfeint - Social gaming platform.

9. RESULT of analysis
10000
1000
10
1
100
Number of distinct violated rules
from 1 to 6.

10. Case studies
 Social gaming platform
- Application uses a static key with this encryption scheme
- Social network functionality while at the same time recording all network traces sent
by the application.
 Password Managing application – 50,000 downloads
- open source with a publicly available GIT repository warrants a closer analysis.
 Best libraries to use by ANDROID crypto developers
- AdMob
- Scoreloop
- Google verification library

11. LIMITATIONS
 Applications that invoke cryptographic primitivesm from native code cannot
be analyzed.
 CryptoLint cannot reason about applications that implement cryptographic
primitives ad-hoc.
 CryptoLint only detects the use and misuses of those exposed through security
providers, ciphers, and MAC’s.

12. MITIGATIONS
 Semantic contracts in API.
 Poor default configurations in APIs .
 API documentation.