Our paper "CRYLOGGER: Detecting Crypto Misuses Dynamically" has been accepted for publication in the proceedings of the IEEE Symposium on Security and Privacy.
The paper describes CRYLOGGER, the first open-source tool that detects cryptographic (crypto) misuses in Android and Java applications. A crypto misuse is an invocation to a crypto API that does not respect common security guidelines, such as those suggested by cryptographers or organizations like NIST and IETF. To detect misuses, CRYLOGGER logs the parameters that are passed to the crypto APIs during the execution and checks their legitimacy offline by using a list of crypto rules. Differently from other approaches, it employs a dynamic approach, which does not require to analyze the code of the applications. We analyzed 1780 popular Android apps downloaded from the Google Play Store and showed that CRYLOGGER can detect crypto misuses on thousands of apps dynamically and automatically.
To find out more about CRYLOGGER read our paper or check out the code on GitHub.