Activities per year
Abstract
Misuse of cryptographic APIs remains one of the most common flaws in Android applications. The complexity of cryptographic APIs frequently overwhelms developers. This can lead to mistakes that leak sensitive user data to trivial attacks. Despite herculean efforts by platform provider Google, countermeasures introduced so far were not successful in preventing these flaws. Users remain at risk until an effective systemic mitigation has been found. In this paper, we propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure. As a demonstration of CryptoShield's efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play, as well as measurements on synthetic benchmarks. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches, 101 ms worst-case mitigation overhead per crypto API call).
Original language | English |
---|---|
Title of host publication | ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security |
Pages | 899-912 |
Number of pages | 14 |
ISBN (Electronic) | 9798400700989 |
DOIs | |
Publication status | Published - 10 Jul 2023 |
Event | 18th ACM ASIA Conference on Computer and Communications Security: AsiaCCS 2023 - Melbourne, Australia Duration: 10 Jul 2023 → 14 Jul 2023 https://asiaccs2023.org |
Publication series
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
ISSN (Print) | 1543-7221 |
Conference
Conference | 18th ACM ASIA Conference on Computer and Communications Security |
---|---|
Abbreviated title | AsiaCCS '23 |
Country/Territory | Australia |
City | Melbourne |
Period | 10/07/23 → 14/07/23 |
Internet address |
Keywords
- Android
- Mobile
- Mobile Security
- Mitigation
- Instrumentation
- Crypto API Misuse
- Security
ASJC Scopus subject areas
- Software
- Computer Networks and Communications
Fields of Expertise
- Information, Communication & Computing
Treatment code (Nähere Zuordnung)
- Experimental
Fingerprint
Dive into the research topics of 'CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android Applications'. Together they form a unique fingerprint.Activities
- 1 Talk at conference or symposium
-
CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android Applications
Draschbacher, F. (Speaker)
14 Jul 2023Activity: Talk or presentation › Talk at conference or symposium › Science to science