sPECTRA: a Precise framEwork for analyzing CrypTographic vulneRabilities in Android apps

Gajrani, J., Tripathi, M., Laxmi, V., Gaur, M. S., Conti, M. & Rajarajan, M. (2017). sPECTRA: a Precise framEwork for analyzing CrypTographic vulneRabilities in Android apps. 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC), pp. 854-860. doi: 10.1109/CCNC.2017.7983245

Text - Accepted Version
Download (332kB) | Preview


The majority of Android applications (apps) deals with user's personal data. Users trust these apps and allow them to access all sensitive data. Cryptography, when employed in an appropriate way, can be used to prevent misuse of data. Unfortunately, cryptographic libraries also include vulnerable cryptographic services. Since Android app developers may not be cryptographic experts, this makes apps become the target of various attacks due to cryptographic vulnerabilities. In this work, we present sPECTRA: an automated framework for analyzing wide range of cryptographic vulnerabilities in Android apps at large scale. sPECTRA is more precise and accurate in comparison to state-of-the-art approaches as it reduces both false negatives and false positives. The inclusion of Intelligent UI exploration during dynamic analysis makes sPECTRA deployable to analyze apps at large scale. Moreover, sPECTRA works on apk files without the need of any source code. We evaluate sPECTRA on 7,000 apps collected from 7 most popular Android app stores. Results indicate that 90% of apps are exploitable because of cryptographic vulnerabilities. We made sPECTRA available as an open source.

Item Type: Article
Additional Information: © 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Uncontrolled Keywords: cryptographic; APIs; vulnerabilities; Android; attacks
Divisions: School of Engineering & Mathematical Sciences > Engineering
URI: http://openaccess.city.ac.uk/id/eprint/18627

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics