CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android Applications

Florian Draschbacher*, Johannes Feichtner

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Misuse of cryptographic APIs remains one of the most common flaws in Android applications. The complexity of cryptographic APIs frequently overwhelms developers. This can lead to mistakes that leak sensitive user data to trivial attacks. Despite herculean efforts by platform provider Google, countermeasures introduced so far were not successful in preventing these flaws. Users remain at risk until an effective systemic mitigation has been found.

In this paper, we propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure.

As a demonstration of CryptoShield's efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device application instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches).
Original languageEnglish
Title of host publicationASIA CCS '23: Proceedings of the 2023 ACM on Asia Conference on Computer and Communications Security
Publication statusAccepted/In press - 2023
Event18th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2023) - Melbourne, Australia
Duration: 10 Jul 202314 Jul 2023
https://asiaccs2023.org

Conference

Conference18th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2023)
Abbreviated titleAsiaCCS'23
Country/TerritoryAustralia
CityMelbourne
Period10/07/2314/07/23
Internet address

Keywords

  • Android
  • Mobile
  • Mobile Security
  • Mitigation
  • Instrumentation
  • Crypto API Misuse

ASJC Scopus subject areas

  • Software

Fields of Expertise

  • Information, Communication & Computing

Treatment code (Nähere Zuordnung)

  • Experimental

Fingerprint

Dive into the research topics of 'CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android Applications'. Together they form a unique fingerprint.

Cite this