Python Crypto Misuses in the Wild

TL;DR

This study investigates the prevalence of cryptographic misuses in Python projects, revealing that over half contain misuses, but good API design can significantly reduce these issues, especially in Python and embedded environments.

Contribution

The paper introduces a static analysis tool for Python crypto APIs and provides the first large-scale empirical study of crypto misuses in Python projects.

Findings

52.26% of Python projects have at least one crypto misuse

Good API design reduces the likelihood of misuses in Python

MicroPython projects benefit from hybrid analysis approaches

Abstract

Background: Previous studies have shown that up to 99.59 % of the Java apps using crypto APIs misuse the API at least once. However, these studies have been conducted on Java and C, while empirical studies for other languages are missing. For example, a controlled user study with crypto tasks in Python has shown that 68.5 % of the professional developers write a secure solution for a crypto task. Aims: To understand if this observation holds for real-world code, we conducted a study of crypto misuses in Python. Method: We developed a static analysis tool that covers common misuses of 5 different Python crypto APIs. With this analysis, we analyzed 895 popular Python projects from GitHub and 51 MicroPython projects for embedded devices. Further, we compared our results with the findings of previous studies. Results: Our analysis reveals that 52.26 % of the Python projects have at least one misuse. Further, some Python crypto libraries API design helps developers from misusing crypto functions, which were much more common in studies conducted with Java and C code. Conclusion: We conclude that we can see a positive impact of the good API design on crypto misuses for Python applications. Further, our analysis of MicroPython projects reveals the importance of hybrid analyses.