A Comparative Study of Misapplied Crypto in Android and iOS Applications

Johannes Feichtner

doi:10.5220/0007915300960108

A Comparative Study of Misapplied Crypto in Android and iOS Applications

Johannes Feichtner

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.

Original language	English
Title of host publication	Proceedings of the 16th International Joint Conference on e-Business and Telecommunications - Volume 2: SECRYPT
Place of Publication	Portugal
Publisher	SciTePress
Pages	96-108
Number of pages	12
ISBN (Electronic)	978-989-758-378-0,
DOIs	https://doi.org/10.5220/0007915300960108
Publication status	Published - 2019
Event	16th International Conference on Security and Cryptography - Prague, Czech Republic Duration: 26 Jul 2019 → 28 Jul 2019 http://www.secrypt.icete.org/?y=2019

Conference

Conference	16th International Conference on Security and Cryptography
Abbreviated title	SECRYPT 2019
Country/Territory	Czech Republic
City	Prague
Period	26/07/19 → 28/07/19
Internet address	http://www.secrypt.icete.org/?y=2019

Keywords

Static Analysis
Slicing
Android
iOS
Cryptography
Application Security

Access to Document

10.5220/0007915300960108

mainFinal published version, 149 KB

A-SIT - Secure Information Technology Center Austria
Stranacher, K., Dominikus, S., Leitold, H., Marsalek, A., Teufl, P., Bauer, W., Aigner, M. J., Rössler, T., Neuherz, E., Dietrich, K., Zefferer, T., Mangard, S., Payer, U., Orthacker, C., Lipp, P., Reiter, A., Knall, T., Bratko, H., Bonato, M., Suzic, B., Zwattendorfer, B., Kreuzhuber, S., Oswald, M. E., Tauber, A., Posch, R., Bratko, D., Feichtner, J., Ivkovic, M., Reimair, F., Wolkerstorfer, J. & Scheibelhofer, K.
21/05/99 → 6/08/20
Project: Research area

Cite this

Feichtner, J 2019, A Comparative Study of Misapplied Crypto in Android and iOS Applications. in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications - Volume 2: SECRYPT. SciTePress, Portugal, pp. 96-108, 16th International Conference on Security and Cryptography, Prague, Czech Republic, 26/07/19. https://doi.org/10.5220/0007915300960108

@inproceedings{59cd6725a2f04c02a3def2685b34cab1,

title = "A Comparative Study of Misapplied Crypto in Android and iOS Applications",

abstract = "Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.",

keywords = "Static Analysis, Slicing, Android, iOS, Cryptography, Application Security",

author = "Johannes Feichtner",

year = "2019",

doi = "10.5220/0007915300960108",

language = "English",

pages = "96--108",

booktitle = "Proceedings of the 16th International Joint Conference on e-Business and Telecommunications - Volume 2: SECRYPT",

publisher = "SciTePress",

address = "Portugal",

note = "16th International Conference on Security and Cryptography, SECRYPT 2019 ; Conference date: 26-07-2019 Through 28-07-2019",

url = "http://www.secrypt.icete.org/?y=2019",

}

TY - GEN

T1 - A Comparative Study of Misapplied Crypto in Android and iOS Applications

AU - Feichtner, Johannes

PY - 2019

Y1 - 2019

N2 - Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.

AB - Many applications for Android and iOS process sensitive data and, therefore, rely on cryptographic APIs natively provided by the operating system. For this to be effective, essential rules need to be obeyed, as otherwise the attainable level of security would be weakened or entirely defeated. In this paper, we inspect the differences between Android and iOS concerning the proper usage of platform-specific APIs for cryptography. For both platforms, we present concrete strategies to detect critical mistakes and introduce a new framework for Android that excels in pinpointing the origin of problematic security attributes. Applied on real-world apps with cryptography, we find that out of 775 investigated apps that vendors distribute for both Android and iOS, 604 apps for iOS (78%) and 538 apps for Android (69%) suffer from at least one security misconception.

KW - Static Analysis

KW - Slicing

KW - Android

KW - iOS

KW - Cryptography

KW - Application Security

U2 - 10.5220/0007915300960108

DO - 10.5220/0007915300960108

M3 - Conference paper

SP - 96

EP - 108

BT - Proceedings of the 16th International Joint Conference on e-Business and Telecommunications - Volume 2: SECRYPT

PB - SciTePress

CY - Portugal

T2 - 16th International Conference on Security and Cryptography

Y2 - 26 July 2019 through 28 July 2019

ER -

A Comparative Study of Misapplied Crypto in Android and iOS Applications

Abstract

Conference

Keywords

Access to Document

Fingerprint

Projects

A-SIT - Secure Information Technology Center Austria

Cite this