City Research Online

Abstract

The majority of Android applications (apps) deals with user's personal data. Users trust these apps and allow them to access all sensitive data. Cryptography, when employed in an appropriate way, can be used to prevent misuse of data. Unfortunately, cryptographic libraries also include vulnerable cryptographic services. Since Android app developers may not be cryptographic experts, this makes apps become the target of various attacks due to cryptographic vulnerabilities. In this work, we present sPECTRA: an automated framework for analyzing wide range of cryptographic vulnerabilities in Android apps at large scale. sPECTRA is more precise and accurate in comparison to state-of-the-art approaches as it reduces both false negatives and false positives. The inclusion of Intelligent UI exploration during dynamic analysis makes sPECTRA deployable to analyze apps at large scale. Moreover, sPECTRA works on apk files without the need of any source code. We evaluate sPECTRA on 7,000 apps collected from 7 most popular Android app stores. Results indicate that 90% of apps are exploitable because of cryptographic vulnerabilities. We made sPECTRA available as an open source.

Publication Type:	Article
Additional Information:	© 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Publisher Keywords:	cryptographic; APIs; vulnerabilities; Android; attacks
Departments:	School of Science & Technology > Engineering
SWORD Depositor:	Symplectic Administrator

Export

Downloads