Is your Android app secure? This tool tells you

A tool developed by researchers at Columbia University is capable of analyzing how secure the apps available in the Play Store, Google’s store for Android devices, are.

It is Crylogger, which is able to determine whether apps adequately use encryption, as the layer of security with which user data is protected.

Android apps use encryption algorithms to protect user data, such as credit card numbers, passwords, social security numbers, and so on. If used correctly, the data remains unintelligible to third parties.

According to the researchers, Crylogger detects violations of the rules that must be followed for encryption to be secure.

It does so from a list developed by expert cryptographers and organizations such as the U.S. National Institute of Standards and Technology (NIST) and the Internet Engineering Task Force (IETF), which define security standards for protecting sensitive data.

Chilling findings

Crylogger is the first tool to detect cryptographic malpractice by running the application rather than analyzing its code.

The researchers ran 1,780 popular Android apps and found that almost all contained or used libraries that did not meet security standards.

Many used broken algorithms and others had insecure practices for protecting user data.

Each violation does not necessarily mean that an attack is possible, but rather should be treated as warnings that should be investigated.

Some may be false alarms, because it is very difficult to discriminate accurately in all situations.

The researchers contacted more than 300 developers for confirmation, but only 10 provided useful feedback.

“Many developers do not consider attacks such as privilege escalation and side-channel attacks to be possible on phones, so they store data locally without sufficient safeguards,” said security expert Simha Sethumadhavan, one of those responsible for the research.

The team manually analyzed the code of 28 Android apps, and found that some of the violations reported by Crylogger could potentially be exploited.

“Choosing the right algorithm and configuring its parameters is critical to keeping users’ data secure, but it requires an understanding of cryptography,” specified the study’s lead author, Luca Piccolboni.