Researchers found crypto bugs in 306 popular Android apps

Columbia University researchers found bugs in 306 Google Play Store apps

According to Columbia University researchers, they found bugs in 306 Android apps.

CRYLOGGER, a new dynamic tool developed by Columbia University academics, found crypto bugs in more than 300 popular Android apps.^[1] The tool was used to test the most popular applications in different Google Play Store categories. In the end, it turned out that 306 out of 1,780 apps have crypto bugs.

Crypto bugs can put mobile app users and their devices at risk. The researchers say that these popular 306 applications are breaking at least one and some of them even up to 18 basic cryptography^[2] rules. Moreover, bugs weren't only in an application's code. Some common bugs were also part of Java libraries.

CRYLOGGER^[3] is a new custom tool that analyzes Android apps for unsafe use of cryptographic code according to 26 basic cryptography rules. Those rules include avoiding the use of:

• broken hash functions;
• reusing passwords multiple times;
• bad passwords;
• HTTP URL connections or a “badly-derived” key for encryption.

The tool developers explained how their research stands out:^[3]

Most of the recent research efforts focused on static approaches, while little has been done to bring dynamic approaches to the same level of completeness and effectiveness.

The researchers tried to contact the developers

After receiving the results of Android apps testing, the researchers tried to contact the developers of all 306 unsafe applications. Academics revealed worrying facts:^[3]

All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million. Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings.

Although few developers answered to research team letters, none of them fixed their apps and libraries. Based on this knowledge, researchers from Columbia University decided to refrain from publishing vulnerable applications names^[4] because someone may try to exploit these vulnerabilities and harm the users.

The tool was designed to help developers check their apps for bugs

CRYLOGGER is meant to be an open-source tool and dynamic companion to CryptoGuard, another open-source tool. In a pre-publication named “CRYLOGGER: Detecting Crypto Misuses Dynamically” the researchers said:^[3]

We presented CRYLOGGER, the first tool that detects crypto misuses dynamically, while supporting a large number of rules. We released CRYLOGGER open-source to allow the community to use a dynamic tool alongside static analysis. We hope that application developers will adopt it to check their applications as well as the third-party libraries that they use.

However, judging from the fact that most developers even couldn't respond to researchers' letters, it is unclear when developers will want to use such a tool. Nevertheless, The Columbia University team made CRYLOGGER available on GitHub.^[5]

Also, after this research, everyone should understand how easy it is for popular mobile applications to break basic security rules. These 306 unsafe apps had a high number of downloads: from hundreds of thousands to more than hundreds of millions. And all users are still unaware that they are using programs that have crypto bugs.