Abstract
Misuse of cryptographic APIs remains one of the most common flaws in Android applications. The complexity of cryptographic APIs frequently overwhelms developers. This can lead to mistakes that leak sensitive user data to trivial attacks. Despite herculean efforts by platform provider Google, countermeasures introduced so far were not successful in preventing these flaws. Users remain at risk until an effective systemic mitigation has been found.
In this paper, we propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure.
As a demonstration of CryptoShield's efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device application instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches).
In this paper, we propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure.
As a demonstration of CryptoShield's efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device application instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches).
| Original language | English |
|---|---|
| Title of host publication | ASIA CCS '23: Proceedings of the 2023 ACM on Asia Conference on Computer and Communications Security |
| Publication status | Accepted/In press - 2023 |
| Event | 18th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2023) - Melbourne, Australia Duration: 10 Jul 2023 → 14 Jul 2023 https://asiaccs2023.org |
Conference
| Conference | 18th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2023) |
|---|---|
| Abbreviated title | AsiaCCS'23 |
| Country/Territory | Australia |
| City | Melbourne |
| Period | 10/07/23 → 14/07/23 |
| Internet address |
Keywords
- Android
- Mobile
- Mobile Security
- Mitigation
- Instrumentation
- Crypto API Misuse
ASJC Scopus subject areas
- Software
Fields of Expertise
- Information, Communication & Computing
Treatment code (Nähere Zuordnung)
- Experimental
