Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/9/2020
04:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

New Tool Detects Unsafe Security Practices in Android Apps

Open source CRYLOGGER detects cryptographic misuses by running the Android app instead of analyzing its code.

New York, NY—November 9, 2020—Computer scientists at Columbia Engineering have shown for the first time that it is possible to analyze how thousands of Android apps use cryptography without needing to have the apps’ actual codes. The team’s new tool, CRYLOGGER, can tell when an Android app uses cryptography incorrectly—it detects the so-called “cryptographic misuses” in Android apps. When given a list of rules that should be followed for secure cryptography—guidelines developed by expert cryptographers and organizations such as NIST and IETF that define security standards to protect sensitive data—CRYLOGGER detects violations of these rules.

Android apps use cryptographic algorithms to secure users’ data, such as credit card numbers, passwords, social security numbers, etc. If used correctly, cryptography protects sensitive data by making them unintelligible. Each cryptographic algorithm is appropriate for a specific scenario and requires the configuration of specific parameters. App and library developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys, weak passwords, or by misconfiguring other specific parameters.

“Choosing the correct algorithm and configuring its parameters are critical to keep users’ data secure, but it requires an understanding of cryptography,” says the study’s lead author Luca Piccolboni, a PhD student who is advised by Luca Carloni, professor of computer science. “Wrong choices of the algorithms and/or misconfigurations of their parameters can result in data breaches.”

CRYLOGGER is the first tool that detects cryptographic misuses by running the app instead of analyzing its code. This new approach is described in a paper that will be presented May 23-27 at IEEE Symposium on Security and Privacy 2021. In addition to Piccolboni and Carloni, the paper is authored by Giuseppe Di Guglielmo, associate research scientist in the computer science department, and Simha Sethumadhavan, associate professor of computer science and an expert in cybersecurity.

How Crylogger works:

1. CRYLOGGER runs the application with an instrumented crypto library.

2. CRYLOGGER collects a log containing the parameters of the crypto API calls.

3. CRYLOGGER checks the crypto rules and reports all the violations.

VIDEO #1: https://www.youtube.com/watch?v=p_OpxodV-gk

VIDEO #2: https://www.youtube.com/watch?v=ZLYedVDmTRA

Luca Piccolboni/Columbia Engineering

CRYLOGGER, which is open source, has several key advantages:

It can analyze closed-source apps, and does not need to modify the code of the app or its binary.
It analyzes the actual parameters used by the apps instead of doing analysis on their source code and it focuses only on the code that is actually run.
It can perform inter-application analysis: it can detect when two apps communicate in non-secure ways or when data is shared across multiple apps when it should not.
The researchers ran 1,780 popular Android apps downloaded from the official Google Play Store—the largest case study on cryptographic misuses not based on code analysis—and discovered that almost all the apps contained code or used libraries that did not strictly adhere to security standards. Many of them used broken algorithms and others adopted unsafe cryptographic practices to protect users’ data.

Each violation does not necessarily mean that an attack is possible. The rule violations should be treated as warnings to be further investigated. Some violations can be false alarms because it is very hard to precisely discriminate in all situations. The researchers contacted more than 300 developers for confirmation, but only 10 provided useful feedback.

“Many developers do not consider attacks such as privilege escalation and side-channel attacks to be possible on phones, and so they store data locally without sufficient safeguards,” notes Sethumadhavan.

The team also manually analyzed the code of 28 Android apps and found that some of the violations reported by CRYLOGGER could potentially be exploited. They see two significant applications of CRYLOGGER. Developers can use it to find cryptographic misuses in their apps as well as in the third-party libraries they use. App stores, such as the Google Play Store, can use CRYLOGGER to screen submitted apps to ensure they meet security standards and are safe for final users to download. Google already uses similar screening technologies to get rid of unsafe or scam apps and these could be extended to consider cryptographic misuses.

The researchers are working on improving the accuracy of CRYLOGGER by defining techniques that will further reduce the number of false alarms. They are also using CRYLOGGER to perform inter-app analysis so that it can analyze how apps exchange data and determine if sensitive data are kept secure. In addition, they are putting rule checking for cryptographic misuses into hardware, rather than software, to force applications to use safe practices in critical contexts.

“While we keep working to improve the accuracy of CRYLOGGER, our approach can be used by app stores to promote better security practices,” Carloni adds. “And we believe that CRYLOGGER’s technique of analyzing thousands of Android applications by running them and collecting information that can be later analyzed offline could also be used in other security domains.”

About the Study

The study is titled “CRYLOGGER: Detecting Crypto Misuses Dynamically.”

Authors are: Luca Piccolboni, Giuseppe Di Guglielmo, Luca P. Carloni, and Simha Sethumadhavan, Department of Computer Science, Columbia Engineering.

This work was supported in part by the National Science Foundation (1527821 and 1764000), a gift from Bloomberg, DARPA HR0011-18-C-0017 (System Security Integrated Through Hardware and firmware), and N00014-17-1-2010.

The authors declare no financial or other conflicts of interest.

###

LINKS:

Paper: https://www.computer.org/csdl/proceedings-article/sp/2021/893400a160/1mbmHwIxTb2

DOI: 10.1109/SP40001.2021.00010

CRYLOGGER code: https://github.com/lucapiccolboni/crylogger

VIDEO #1: https://www.youtube.com/watch?v=p_OpxodV-gk

VIDEO #2: https://www.youtube.com/watch?v=ZLYedVDmTRA

http://engineering.columbia.edu/

https://www.engineering.columbia.edu/faculty/luca-carloni

https://www.cs.columbia.edu

https://datascience.columbia.edu/

###

Columbia Engineering

Columbia Engineering, based in New York City, is one of the top engineering schools in the U.S. and one of the oldest in the nation. Also known as The Fu Foundation School of Engineering and Applied Science, the School expands knowledge and advances technology through the pioneering research of its more than 220 faculty, while educating undergraduate and graduate students in a collaborative environment to become leaders informed by a firm foundation in engineering. The School’s faculty are at the center of the University’s cross-disciplinary research, contributing to the Data Science Institute, Earth Institute, Zuckerman Mind Brain Behavior Institute, Precision Medicine Initiative, and the Columbia Nano Initiative. Guided by its strategic vision, “Columbia Engineering for Humanity,” the School aims to translate ideas into innovations that foster a sustainable, healthy, secure, connected, and creative humanity.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25252
PUBLISHED: 2021-03-03
Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file.
CVE-2021-26813
PUBLISHED: 2021-03-03
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
CVE-2021-27215
PUBLISHED: 2021-03-03
An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. A specific authentication method during login does not check the...
CVE-2021-3419
PUBLISHED: 2021-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-15937
PUBLISHED: 2021-03-03
An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard.