Many popular Android apps have been found to be misusing cryptographic code, potentially putting users and their devices at risk.
Researchers from Columbia University uncovered a number of major flaws across multiple app categories that they say show many developers are using cryptographic code in an unsafe way.
The team found bugs or flaws in hundreds of Android apps, with some culprits breaking multiple rules in how to use such code properly, showing that understanding of even basic guidelines is still lacking in large parts of the mobile development industry.
To carry out their research, the Columbia team developed a custom tool named CRYLOGGER that was able to analyze Android apps for the 26 basic cryptography rules, including guidelines such as not using weak passwords, broken encryption, and not using HTTPS.
Overall, CRYLOGGER was tested on the most popular Android apps across 33 different categories on the Google Play Store during September and October 2019.
Of the 1,780 apps tested, 306 were found to break at least one rule, with some breaking multiple guidelines. The most common rules to be broken were, “don’t use an unsafe PRNG (pseudorandom number generator)” (broken by 1,775 apps), “Don’t use broken hash functions (SHA1, MD2, MD5, etc.)” (1,764 apps) and “Don’t use the operation mode CBC (client/server scenarios)” (1,076 apps).
The researchers noted that such rules would be well known to specialized cryptographers, but many regular app developers may be lacking in the specific knowledge or skills to use such tools properly, with this shortfall potentially putting users at risk.
The team reached out to the developers of the 306 Android applications found to be vulnerable, some of which had millions of downloads.
“Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings,” they noted, adding that they also contacted the developers of six popular Android libraries, but only heard back from two of them.