Automatic Detection and Mitigation of Crypto API Misuse in Android Applications
Almost a decade after its first scientific discussion, crypto API misuse remains one of the most common security flaws in Android applications. Due to invalid parametrizations of cryptographic primitives or functionality for establishing TLS connections, malicious parties can frequently gain access to sensitive user data through unsophisticated attacks. Since all efforts by the platform provider Google could not lead to any substantial improvement to the situation, we suggest a novel approach for mitigating the risks of this long-standing issue for end users. Our solution consists of a background daemon that automatically augments all applications installed on an unmodified Android system by a patch for monitoring and correcting any calls to cryptographic APIs. We demonstrate the efficacy of this approach by means of two case studies of popular Android applications from Google Play.