CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

TL;DR

CryptoExplorer is an interactive web platform that provides developers with a large collection of real-world secure and insecure cryptography API examples, helping them learn proper API usage efficiently.

Contribution

It introduces a platform with a curated dataset of secure and insecure cryptography API uses from GitHub, facilitating better developer education and API security awareness.

Findings

Developers can access secure API examples instantly.

CryptoExplorer saves time compared to internet searches.

Studying insecure examples helps avoid misuses of cryptographic APIs.

Abstract

Research has shown that cryptographic APIs are hard to use. Consequently, developers resort to using code examples available in online information sources that are often not secure. We have developed a web platform, named CryptoExplorer, stocked with numerous real-world secure and insecure examples that developers can explore to learn how to use cryptographic APIs properly. This platform currently provides 3,263 secure uses, and 5,897 insecure uses of Java Cryptography Architecture mined from 2,324 Java projects on GitHub. A preliminary study shows that CryptoExplorer provides developers with secure crypto API use examples instantly, developers can save time compared to searching on the internet for such examples, and they learn to avoid using certain algorithms in APIs by studying misused API examples. We have a pipeline to regularly mine more projects, and, on request, we offer our dataset to researchers.