Default behaviors of cryptographic libraries used in Android systems often do not use recommended practices. For example, the predominant Android Java security provider API defaults to using an insecure AES encryption method: ECB block cipher mode for AES encryption (see DRD17-J). Extensive app testing by [Egele 2013] has shown that the following 6 rules are often not followed, resulting in 88% of apps with cryptographic APIs on Google Play making at least one mistake.
Six common cryptography rules they tested:
SecureRandom(·)
.
This noncompliant code example shows an application that ..., and hence not secure.
In this compliant solution ...
If an insecure encryption method is used, then the encryption does not assure privacy, integrity, and authentication of the data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD18-J | High | Likely | Medium | P18 | L1 |
Automatic detection of ...
CERT Android-Only Secure Coding Rules and Guidelines | DRD17-J. Do not use the Android cryptographic security provider encryption default for AES |
Egele 2013 | An Empirical Study of Cryptographic Misuse in Android Applications |
Android Developers | Android Developers: Security with HTTPS and SSL (accessed 6/25/2014) |