Research On Crypto Misuses Of Android Native Code Libraries

The use of native code(ARM binary code)libraries in Android apps greatly promotes the execution performance of frequently used algorithms.Nonetheless,it increases the complexity of app assessment since the binary code analysis is often sophisticated and time-consuming.As a result,many defects still exist in native code libraries and potentially threat the security of users.To assess the native code libraries,current researches mainly focus on the API invoking correctness and less dive into the details of code.Hence,flaws may hide in internal implementation when the analysis of API does not discover them effectively.The assessment of native code requires a more detailed code comprehension process to pinpoint flaws.In response,we design and implement NativeSpeaker,an Android native code analysis system to assess native code libraries.NativeSpeaker provides not only the capability of recognizing certain pattern related to security flaws,but also the functionality of discovering and comparing native code libraries among a large-scale collection of apps from non-official Android markets.With the help of NativeSpeaker,we analyzed 20,353 dynamic libraries(.so)collected from 20,000 apps in non-official Android markets.Particularly,our assessment focuses on searching crypto misuse related insecure code pattern in those libraries.The analyzing results show even for those most frequently used(top 1%)native code libraries,one third of them contain at least one misuse.Furthermore,our observation indicates the misuse of crypto is often related to insecure data communication: about 25% most frequently used native code libraries suffer from this flaw.Our research shows that the cryptographic misuse widely exists in Android native code.More seriously,due to these crypto misuse vulnerabilities can not be found through API call analysis,they may be hidden in popular third-party libraries for long periods of time and have a wide impact on the security of applications that use these third-party libraries.Therefore,the NativeSpeaker system that we proposed can provide a more detailed code understanding for security assessment for Android native code,and help analysts and developers to eliminate such security risks.