A group of Columbia University academics have invented a tool named CRYLOGGER, which dynamically analyses the apps to check whether they’re improperly using any cryptography function. Testing this on 1,700+ popular apps from Playstore, they found that 306 apps having bugs, that can be exploited in one way or other. Unfortunately, even after reporting to all those developers, none have cared for a patch.
306 Android Apps With Crypto-Related Bugs Found
Academics from Columbia University has researched with their new tool – CRYLOGGER on 1,780 Android apps in Playstore from over 33 categories. In the research spanning from September 2019 to October 2019, they have found that about 306 apps in those total tested are having cryptography related bugs.
They had defined about 26 basic cryptography rules, where the 306 apps have violated at least one from 26 rules. More specifically, about 1,764 apps are using broken hash functions like MD2, MD5 and SHA1. Further, 1,775 apps are using an unsafe pseudorandom number generator and about 1,076 apps are using the operation CBC mode.
Academics said these are basic cryptography rules to be followed by developers while designing an app, but ignored here. Some of those apps pointed are immensely popular with millions of downloads too. After finding out, researchers claim to have contacted the respective developers about these bugs, but received replies from only 18 of them! Moreover, there are only 8 developers who followed with more e-mails and giving them feedback on this disclosure.
Academics have also pointed out that, though some bugs are found in apps’ source codes, some are found in their Java libraries which are included for several features. Upon contacting 6 of those Java library developers, academics have received a response from only two of them! Since no one has cared to release a patch even after reporting, academics have not disclosed the list of bugged apps.
Other Trending News:- News