Many popular Android apps have been found to misuse cryptographic code, which can put users and their devices at risk. Columbia University researchers have discovered a number of major flaws in various categories of apps that they believe show many developers are using cryptographic code in insecure ways. The team found bugs or glitches in hundreds of Android apps, with some culprits breaking multiple rules to use this code correctly, showing that much of the world still lacks an understanding of basic guidelines. the mobile development industry.
Android flaws
To conduct their research, the Columbia team developed a custom tool called CRYLOGGER that was able to scan Android apps for the 26 basic rules of cryptography, including guidelines like don't use weak passwords, broken encryption, and don't use HTTPS. Overall, CRYLOGGER was tested on the most popular Android apps in 33 different categories on the Google Play Store in September and October 2019. Of the 1,780 apps tested, 306 broke at least one rule, with some breaking multiple guidelines. The most common rules to break were “don't use a dangerous PRNG (pseudo-random number generator)” (cracked by 1775 apps), “Don't use broken hash functions (SHA1, MD2, MD5, etc.)” (1.764 apps) and “ Do not use the CBC (client/server scenarios) operating mode” (1.076 applications).The researchers noted that such rules would be well known to specialist cryptographers, but that many regular application developers may lack specific knowledge or skills to properly use these. tools, and this deficiency could put users at risk. The team contacted the developers of the 306 Android apps deemed vulnerable, some of which had millions of downloads. "Unfortunately, only 18 developers responded to our first request email and only 8 of them repeatedly responded to us providing useful feedback on our results," they noted, adding that they had also contacted the developers of six popular Android libraries, but had only received a response from two of them. Via ZDNet