Crylogger Finds Alarming Crypto Vulnerabilities in Android Apps

Researchers at Columbia University have released Crylogger, an open source analysis tool for identifying cryptographic vulnerabilities in Android apps. 

According to the recent paper, titled “Crylogger: Detecting Crypto Misuses Dynamically,” the researchers analyzed “1780 popular Android apps downloaded from the Google Play Store to show that Crylogger can detect crypto misuses on thousands of apps dynamically and automatically.”

The paper details the most critical vulnerabilities and reports the number of vulnerable Android apps for each of 26 cryptography rules. As noted by the researchers, the results are “alarming” and include the following:

  • 99% of apps use broken hash algorithms.
  • 99% use an unsafe random generator.
  • 31% of apps reuse the same (key, IV) pairs.
  • 97% use 1024 bits as key size (2048 is the suggested value).
  • 27% use “changeit” as the password.

Learn more about Crylogger on GitHub.