CRYLOGGER: Detecting Crypto Misuses Dynamically

TL;DR

CRYLOGGER is a dynamic analysis tool that detects cryptographic misuses in Android apps by logging API parameters during execution, complementing static tools and revealing vulnerabilities in thousands of apps.

Contribution

It introduces CRYLOGGER, the first open-source dynamic tool for crypto misuse detection, and demonstrates its effectiveness alongside static analysis in real-world Android apps.

Findings

CRYLOGGER detects crypto misuses in thousands of Android apps.

It complements static tools like CryptoGuard for comprehensive detection.

Disclosed vulnerabilities to developers and received feedback.

Abstract

Cryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality. Developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys and weak passwords. This paper presents CRYLOGGER, the first open-source tool to detect crypto misuses dynamically. CRYLOGGER logs the parameters that are passed to the crypto APIs during the execution and checks their legitimacy offline by using a list of crypto rules. We compare CRYLOGGER with CryptoGuard, one of the most effective static tools to detect crypto misuses. We show that our tool complements the results of CryptoGuard, making the case for combining static and dynamic approaches. We analyze 1780 popular Android apps downloaded from the Google Play Store to show that CRYLOGGER can detect crypto misuses on thousands of apps dynamically and automatically. We reverse-engineer 28 Android apps and confirm the issues flagged by CRYLOGGER. We also disclose the most critical vulnerabilities to app developers and collect their feedback.