Researchers from Columbia University uncover crypto bugs in 306 Android apps

A recent report has shown that several popular Android applications hosted on the Google Play store have been running with crypto bugs. A team of researchers from Columbia University were able to discover them using a newly-built cryptographic analytic tool. However, only a few developers responded to the researchers’ emails on the development. 

306 popular apps operated with crypto bugs

Using the new tool dubbed CRYLOGGER, the researchers analyzed 1,780 applications from over 30 categories on Google Play Store, according to a ZDNet report on September 8. The applications were checked based on 26 basic cryptography rules. However, 306 applications were spotted with crypto bugs, as the apps broke the rules.

Rule number #18, #1, and #4 were the most broken, according to the researchers. Rule #18 stated that developers shouldn’t use unsafe PRNG (i.e., pseudorandom number generator). Rule #1 also warned developers not to use any broken hash function such as MD2, MD5, SHA1 and more, while Rule #4 holds that developers shouldn’t use operation mode CBC (client/server scenarios).

The researcher opined that the app developers should already have a good knowledge of these rules as a cryptographer before they even move to develop usable apps. 

Only eight developers are in contact

Meanwhile, the researchers said they have contacted the developers behind the apps with crypto bugs. However, the vulnerabilities have not been fixed, which is why the researchers refrained from publishing the identity of those apps to avoid being exploited. They added:

“All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million. […] Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings.”