A team of researchers from Columbia University has decided to mass-test 1,780 Android applications, sampling the most popular ones from 33 Play Store categories. The team focused on the cryptography aspect of the apps’ code, and whether or not the developers followed basic rules in the field. Not only many of them didn’t, but most of the developers didn’t bother to fix anything even after the researchers contacted them.
The team used a tool named “CRYLOGGER,” which checked the code’s compliance against 26 basic cryptography rules. At least one bug was found in 306 of the total of 1,780 applications, which is roughly 17.2%. The most commonly found flaws were the use of an unsafe pseudo-random number generator, broken hash functions, and the CBC operation mode. Obviously, many app developers aren’t well-versed with cryptography rules, as security is not treated as a core aspect of code writing.
The researchers contacted the developers behind the 306 unsafe apps, some of which have more than 100 million downloads. Of the 306 developers, only 18 answered the email, and from there, only a subset of eight developers took the discussion further. In some cases, the bugs were in the apps’ code, but in other cases, the culprit was a popular Android library deployed in the projects. From the six library development teams contacted about this, only two answered.
All in all, there was nothing fixed, neither on the libraries nor on the apps, so all of the discovered flaws remain.
A notable aspect of this report is that we’re talking about top-rated and highly popular apps whose development teams should have the financial resources to employ security and cryptography experts. There are no excuses for not having taken these measures, and the fact that they failed to respond to the researchers’ notices is making this even worse. If the researchers were to look at sets of less popular apps, the percentage of flawed projects would be even more significant.
The Columbia University team suggests that app developers should use CRYLOGGER to analyze their code dynamically. That should be in addition to using CryptoGuard, which is a static analyzer - so the two should cover the entire spectrum of an app’s operation. For this purpose, CRYLOGGER has been made available on GitHub.