A Comparative Study of Misapplied Crypto in Android and iOS Applications

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.
Originalspracheenglisch
Titel16th International Conference on Security and Cryptography (SECRYPT 2019)
ErscheinungsortPortugal
Herausgeber (Verlag)SciTePress
Seitenumfang12
PublikationsstatusAngenommen/In Druck - 2019
Veranstaltung16th International Conference on Security and Cryptography - Prague, Tschechische Republik
Dauer: 26 Jul 201928 Jul 2019
http://www.secrypt.icete.org/?y=2019

Konferenz

Konferenz16th International Conference on Security and Cryptography
KurztitelSECRYPT 2019
LandTschechische Republik
OrtPrague
Zeitraum26/07/1928/07/19
Internetadresse

Fingerprint

Application programs
Application programming interfaces (API)
Cryptography
iOS (operating system)
Android (operating system)

Schlagwörter

    Dies zitieren

    Feichtner, J. (Angenommen/Im Druck). A Comparative Study of Misapplied Crypto in Android and iOS Applications. in 16th International Conference on Security and Cryptography (SECRYPT 2019) Portugal: SciTePress.

    A Comparative Study of Misapplied Crypto in Android and iOS Applications. / Feichtner, Johannes.

    16th International Conference on Security and Cryptography (SECRYPT 2019). Portugal : SciTePress, 2019.

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Feichtner, J 2019, A Comparative Study of Misapplied Crypto in Android and iOS Applications. in 16th International Conference on Security and Cryptography (SECRYPT 2019). SciTePress, Portugal, Prague, Tschechische Republik, 26/07/19.
    Feichtner J. A Comparative Study of Misapplied Crypto in Android and iOS Applications. in 16th International Conference on Security and Cryptography (SECRYPT 2019). Portugal: SciTePress. 2019
    Feichtner, Johannes. / A Comparative Study of Misapplied Crypto in Android and iOS Applications. 16th International Conference on Security and Cryptography (SECRYPT 2019). Portugal : SciTePress, 2019.
    @inproceedings{59cd6725a2f04c02a3def2685b34cab1,
    title = "A Comparative Study of Misapplied Crypto in Android and iOS Applications",
    abstract = "Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78{\%}) and 538 apps for Android (69{\%}) suffer from at least one security misconception.",
    keywords = "Static Analysis, Slicing, Android, iOS, Cryptography, Application Security",
    author = "Johannes Feichtner",
    year = "2019",
    language = "English",
    booktitle = "16th International Conference on Security and Cryptography (SECRYPT 2019)",
    publisher = "SciTePress",
    address = "Portugal",

    }

    TY - GEN

    T1 - A Comparative Study of Misapplied Crypto in Android and iOS Applications

    AU - Feichtner, Johannes

    PY - 2019

    Y1 - 2019

    N2 - Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.

    AB - Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.

    KW - Static Analysis

    KW - Slicing

    KW - Android

    KW - iOS

    KW - Cryptography

    KW - Application Security

    M3 - Conference contribution

    BT - 16th International Conference on Security and Cryptography (SECRYPT 2019)

    PB - SciTePress

    CY - Portugal

    ER -