Aktivitäten pro Jahr
Abstract
Misuse of cryptographic APIs remains one of the most common flaws in Android applications. The complexity of cryptographic APIs frequently overwhelms developers. This can lead to mistakes that leak sensitive user data to trivial attacks. Despite herculean efforts by platform provider Google, countermeasures introduced so far were not successful in preventing these flaws. Users remain at risk until an effective systemic mitigation has been found. In this paper, we propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure. As a demonstration of CryptoShield's efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play, as well as measurements on synthetic benchmarks. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches, 101 ms worst-case mitigation overhead per crypto API call).
Originalsprache | englisch |
---|---|
Titel | ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security |
Seiten | 899-912 |
Seitenumfang | 14 |
ISBN (elektronisch) | 9798400700989 |
DOIs | |
Publikationsstatus | Veröffentlicht - 10 Juli 2023 |
Veranstaltung | 18th ACM ASIA Conference on Computer and Communications Security: AsiaCCS 2023 - Melbourne, Australien Dauer: 10 Juli 2023 → 14 Juli 2023 https://asiaccs2023.org |
Publikationsreihe
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
ISSN (Print) | 1543-7221 |
Konferenz
Konferenz | 18th ACM ASIA Conference on Computer and Communications Security |
---|---|
Kurztitel | AsiaCCS '23 |
Land/Gebiet | Australien |
Ort | Melbourne |
Zeitraum | 10/07/23 → 14/07/23 |
Internetadresse |
ASJC Scopus subject areas
- Software
- Computernetzwerke und -kommunikation
Fields of Expertise
- Information, Communication & Computing
Treatment code (Nähere Zuordnung)
- Experimental
Fingerprint
Untersuchen Sie die Forschungsthemen von „CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android Applications“. Zusammen bilden sie einen einzigartigen Fingerprint.Aktivitäten
- 1 Vortrag bei Konferenz oder Fachtagung
-
CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android Applications
Florian Draschbacher (Redner/in)
14 Juli 2023Aktivität: Vortrag oder Präsentation › Vortrag bei Konferenz oder Fachtagung › Science to science