Crypto bugs found in 306 Android apps
- A team of researchers at Columbia University has found over 300 popular Android apps with crypto bugs.
- Crypto bugs are coding flaws that occur when developers don't follow basic cryptography rules leaving the user and this device vulnerable to exploitation attempts.
- The research team conducted its analysis across 1,780 Android apps across 33 different categories in the Google Play Store but did not share the list of vulnerable apps since the developers have not fixed the security flaws yet.
AdvertisementCrypto bugs can put mobile app users and their devices at risk. Cryptography rules are basic guidelines that should be followed while coding. Yet, over 300 Android apps were spotted misusing cryptographic code using a new tool called ‘CRYLOGGER’ developed by a team of researchers at Columbia University.
Their analysis of 1,780 Android apps across 33 different Google Play Store categories showed that 306 popular apps were flouting at least one of 26 basic cryptography rules.
“Unfortunately, only 18 developers answered our first email of request and only eight of them followed back with us multiple times providing useful feedback on our findings,” said the report explaining that the researchers reached out to all the apps with more than nine rule violations.
The apps surveyed have at least hundreds of thousands of downloads, with some crossing the 100 million threshold.
What are crypto bugs?
Crypto bugs or flaws occur when mobile app developers don’t follow the basic rules of coding. This includes things like not using weak passwords, broken encryption and not using HTTPS protocol.
Even though these are rules that every mobile developer should be familiar with, those who haven’t studied app security or advanced cryptography may not be aware.
|Top 3 rules broken by mobile apps:|
|Rule||Number of apps in violation|
|Don't use an unsafe pseudorandom number generator PRNG||1,775 apps|
|Don't use broken hash functions (SHA1, MD2, MD5, etc.)||1,764 apps|
|Don't use the operation mode CBC (client/server scenarios)||1,076 apps|
The researchers did not share the names of the apps that feature these vulnerabilities since developers did not respond to the team’s alerts or fix their libraries. They explained that publishing the names could leave the apps open to possible exploitation attempts.
PUBG Mobile will no longer be developed by Tencent in India but experts say that may not be enough
Indian Army denies China's claims of 'gunshot threats' along the LAC
China secretly tests 'reusable' spacecraft amid border tensions with India
Popular on BI
- Sam Altman, who was already wealthy before starting OpenAI, reportedly doesn't own any equity in the company behind ChatGPT
- Five planets will stage a rare spectacular event in the night sky on March 28
- Elon Musk reportedly left OpenAI's board in 2018 after Sam Altman and other cofounders rejected his plan to run the company
- Crompton Greaves Consumer Electricals and kitchen appliance maker Butterfly announce merger
- ICMR comes up with first ethical guidelines for application of AI in biomedical research, healthcare
- Measures taken by IIFCL to keep bad loans under check: Parliamentary panel
- Microsoft adds 'AI-generated stories' to its Bing search
- Housing sales up 14% annually in Jan-Mar to 1.13 lakh units across top 7 cities: Anarock