Security researchers used a custom tool called to test 1,780 Android applications, representing the most popular Android applications across 33 different Google Play Store categories. Called CRYLOGGER, this tool was developed by a team of academics from Columbia University, and it was developed to dynamically analyze apps and see if developers are using crypto code in unsafe ways. The team of researchers analyzed those 1,780 Android applications in September and October of last year and discovered crypto bugs in 306 applications by using CRYLOGGER.
The CRYLOGGER tool checked those applications for 26 basic crypto rules and found that some of those 306 Android apps broke one rule, while many apps broke multiple cryptography rules. The top three cryptography rules which were most broken include Rule#18 (Do not use unsafe pseudorandom number generator), Rule#1 (Do not use broken hash functions), and Rule#4 (Do not use the CBC operation mode).
After testing these 1,780 Android applications, the team of academics contacted the developers of those 306 Android apps in which crypto bugs were found. Unfortunately, only 18 out of those 306 developers responded to the team of researchers. The team of researchers said that all of those Android applications are popular. It is worth noting that researchers said that these apps have downloads ranging from hundreds of thousands to over 100 million. They added that while only 18 app developers answered their first email of request, only 8 of those developers followed back with the team of researchers multiple times giving useful feedback on the findings of the research team.
Furthermore, it is important to note that while some bugs were found in the code of an Android app, researchers also discovered that some crypto bugs were being introduced as part of Java libraries used a part of Android applications. The research team did not publish the names of vulnerable Android apps and libraries since none of the app developers have fixed their applications and libraries. They said that attackers might exploit these vulnerabilities if the names of vulnerable apps and libraries are published.
The team of researchers also believe that the CRYLOGGER tool could also be reliably used by developers as a complementary utility to the CryptoGuard tool which analyzes source code before it is executed. On the other hand, CRYLOGGER analyzes source code while the code is being executed.
Read next: Google Takes Down 6 More Apps From The Play Store Containing Joker Malware
The CRYLOGGER tool checked those applications for 26 basic crypto rules and found that some of those 306 Android apps broke one rule, while many apps broke multiple cryptography rules. The top three cryptography rules which were most broken include Rule#18 (Do not use unsafe pseudorandom number generator), Rule#1 (Do not use broken hash functions), and Rule#4 (Do not use the CBC operation mode).
After testing these 1,780 Android applications, the team of academics contacted the developers of those 306 Android apps in which crypto bugs were found. Unfortunately, only 18 out of those 306 developers responded to the team of researchers. The team of researchers said that all of those Android applications are popular. It is worth noting that researchers said that these apps have downloads ranging from hundreds of thousands to over 100 million. They added that while only 18 app developers answered their first email of request, only 8 of those developers followed back with the team of researchers multiple times giving useful feedback on the findings of the research team.
Furthermore, it is important to note that while some bugs were found in the code of an Android app, researchers also discovered that some crypto bugs were being introduced as part of Java libraries used a part of Android applications. The research team did not publish the names of vulnerable Android apps and libraries since none of the app developers have fixed their applications and libraries. They said that attackers might exploit these vulnerabilities if the names of vulnerable apps and libraries are published.
The team of researchers also believe that the CRYLOGGER tool could also be reliably used by developers as a complementary utility to the CryptoGuard tool which analyzes source code before it is executed. On the other hand, CRYLOGGER analyzes source code while the code is being executed.
Read next: Google Takes Down 6 More Apps From The Play Store Containing Joker Malware