Security News > 2020 > September > Cryptobugs Found in Numerous Google Play Store Apps
Researchers have discovered more than 300 apps on the Google Play Store breaking basic cryptography code using a new tool they developed to dynamically analyze it.
The research sheds new light on how easy it is for popular mobile apps-the ones analyzed had from hundreds of thousands of downloads to more than hundreds of millions-to break basic security rules, researchers noted in their work.
While the rules the team used to analyze the apps are common to developers specializing in cryptography, those building mobile apps aren't necessarily specialists in this area and thus can make very basic mistakes.
To perform their analysis, researchers ran CRYLOGGER on the 1,780 apps while stimulating them with 30,000 random events, calling it "a good compromise between running time and number of vulnerabilities found in a subset of these apps." Their tests took about 10 days to run on an emulator running Android 9.0.0r36. Three of the common cryptography rules most broken by offending Android apps were rules No. 18, 1 and 4, respectively, on the researchers' list.
They are: Don't use an unsafe PRNG, or pseudorandom number generator; don't use broken hash function; and don't use the operation mode CBC. Researchers contacted the developers of all 306 Android apps and libraries to disclose the vulnerabilities; however, only 18 developers responded to the first email and only eight responded with "Useful feedback" on their findings, they said.
News URL
https://threatpost.com/cryptobugs-found-in-numerous-google-play-store-apps/159013/
Related news
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- SpyLend Android malware downloaded 100,000 times from Google Play (source)
- New North Korean Android spyware slips onto Google Play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)