Risk Evaluation Of Cryptographic API Misuse In Android Applications Based On Data Flow Analysis

In Android applications,cryptographic APIs are mainly used to process important data which is related to user privacy,and the correct use of such APIs is vital to application developers.However,due to the lack of cryptographic knowledge and poor understanding of the specific API usage from developers,cryptographic APIs in Android applications are frequently misused,which exposes user privacy data to huge risks.Existing cryptographic API misuse detection schemes for Android application usually categorize misuse behaviors based on predefined misuse rules by static analysis.On the one hand,there are large differences in misuse rules of different tools,leading to a certain degree of bias in existing detection.On the other hand,existing schemes only focus on the detection of misuse behaviors,without considering the sensitive flow of data manipulated by the misused API,and cannot quantify the actual risk caused by the misuse of cryptographic API.In view of this,based on the study of the differences and connections among misuse rules defined by existing schemes,we build a complete set of cryptographic API misuse rules,construct a chain of cryptographic API misuse detection tools and accomplish a comprehensive detection of cryptographic API misuse behaviors.Based on this,this paper comprehensively considers the misuse behavior and the risk level of related data flows.With the help of data flow analysis and clustering technology,we propose a risk evaluation scheme for cryptographic API misuse in Android applications.For Android applications,this scheme can identify the risk level of cryptographic API misuse on the basis of comprehensive detection of cryptographic API misuse and data flow analysis.This paper makes the following contributions:(1)Based on the study of the misuse rules defined in the existing schemes,this paper constructs a complete set of misuse rules for cryptographic API in Android applications.The set contains 21 misuse rules,covering the misuse rules that can be detected by multiple existing schemes.(2)Based on data flow analysis and clustering technology,this paper proposes a risk evaluation scheme for cryptographic API misuse in Android applications.This scheme uses data flow analysis to obtain sensitive data flows caused by misuse of cryptographic API and comprehensively considers the risks of misuse and data flow.With the help of clustering technology,we implement the risk evaluation of cryptographic API misuse in Android applications.(3)Based on the scheme proposed in this paper,we propose CryptoEvaluator,a cryptographic API misuse risk evaluation tool for Android applications,and we analyze a data set containing 10,191 Android applications.Our results show the comprehensiveness of Crypto Evaluator in cryptographic API misuse detection,as well as the findings in misuse detection,data flow analysis and risk evaluation.In addition,we evaluate the performance of Crypto Evaluator and show the scalability by implementing specific extensions.(4)In this paper,the association analysis algorithm is used to discover the potential connections between misuse rules and data flows,and we summarize and discuss the reason for the corresponding relationships.