Cryptography Bugs Found in 306 Android Apps
In research done from September to October of 2019, academics at Columbia University has created and used a tool called CRYLOGGER to point out cryptography related bugs in 1,780 Android apps over 33 Playstore categories. The research surfaced about 306 Android apps violating serious cryptography rules, which have let attackers exploit them in some way. As per academics, about 1,775 apps are having an unsafe PRNG (pseudorandom number generator), about 1,764 apps are using broken hash functions like SHA1, MD2, MD5, etc, and 1,076 apps are using operation mode CBC (client/server scenarios). These are basic cryptography rules followed by any cryptographer but may become blurred to general app developers since they focus more on apps features. Yet, academics warn of these since they could be exploited, and more importantly, all the apps tested are popular enough to be spotted. Some are having downloads from hundreds of thousands to millions, say academics. While they reached to respective app developers to inform about these bugs, only 18 out of 306 reporting have responded! Further, there are only 8 developers who followed conversations to give feedback on this research. Yet, no apps from the discovered bunch have got patches till now. Researchers found 6 Java libraries that are having these bugs too but received the same fate as apps replies when informed. This no-action phase forced academics not to release the apps list having these bugs, since they could be exploited if exposed without patches.