Saturday, December 14, 2013

Most Android Apps are Crypto Fails

This study from Carnegie Mellon and UCSB analyzed 11,748 android apps that use crypto and found that 10,327 of them (88%) were flawed. They built a tool to check for extremely obvious crypto implementation errors like
  • Using ECB mode.
  • Using a non-random IV for CBC mode.
  • Using constant encryption keys.
  • Using constant salts for password hashing.
  • Using fewer than 1000 iterations in password hashing.
  • Seeding the random number generator with a static value.
Except for the "1000 iterations" one, these are all obvious flaws, and anyone who knows anything about cryptography should know that they are a bad idea. Especially "using constant encryption keys" - that's insane.

Anyway, here are their results summarized in a table.

Their results make two things clear:
  • You shouldn't implement crypto yourself. Even when you have a high-level API.
  • Just because an app "uses military-grade AES encryption", that does not mean it is secure. It probably isn't.

1 comment:

  1. Well written blog ! Excellent information provided by your article! Thanks for sharing. I really like the title of your blog. It's really catchy. This post is very informative and knowledgeable, I like the helpful information you provide in your articles. Keep it up

    Dating App Development Company