An Empirical Study of Cryptographic Misuse in Android Applications
Developers use cryptographic APIs in Android with the intent of securing data such as passwords and personal information on mobile devices. In this paper, the authors ask whether developers use the cryptographic APIs in a fashion that provides typical cryptographic notions of security, e.g., IND-CPA security. They develop program analysis techniques to automatically check programs on the Google Play marketplace, and find that 10,327 out of 11,748 applications that use cryptographic APIs - 88% overall - make at least one mistake. These numbers show that applications do not use cryptographic APIs in a fashion that maximizes overall security.