Security News > 2020 > September > Cryptobugs Found in Numerous Google Play Store Apps

Researchers have discovered more than 300 apps on the Google Play Store breaking basic cryptography code using a new tool they developed to dynamically analyze it.

The research sheds new light on how easy it is for popular mobile apps-the ones analyzed had from hundreds of thousands of downloads to more than hundreds of millions-to break basic security rules, researchers noted in their work.

While the rules the team used to analyze the apps are common to developers specializing in cryptography, those building mobile apps aren't necessarily specialists in this area and thus can make very basic mistakes.

To perform their analysis, researchers ran CRYLOGGER on the 1,780 apps while stimulating them with 30,000 random events, calling it "a good compromise between running time and number of vulnerabilities found in a subset of these apps." Their tests took about 10 days to run on an emulator running Android 9.0.0r36. Three of the common cryptography rules most broken by offending Android apps were rules No. 18, 1 and 4, respectively, on the researchers' list.

They are: Don't use an unsafe PRNG, or pseudorandom number generator; don't use broken hash function; and don't use the operation mode CBC. Researchers contacted the developers of all 306 Android apps and libraries to disclose the vulnerabilities; however, only 18 developers responded to the first email and only eight responded with "Useful feedback" on their findings, they said.

News URL

https://threatpost.com/cryptobugs-found-in-numerous-google-play-store-apps/159013/