Investigating the security of android security applications

Research output: Contribution to conferencePaper

Abstract

Encryption is commonly used to provide confidentiality of sensitive or personal information when held on smartphones. While many Android devices feature inbuilt full-disk encryption as a precaution against theft of a device, this is not available on all devices, and doesn't provide security against a device which is turned on and in use. For this reason, a wide variety of applications are available within the Google Play Store, offering to encrypt user data. Modern, strong encryption offers strong assurances of confidentiality when used correctly, although the fundamental cryptographic primitives are complex, with many opportunities for mistakes to be made.
The security of a number of implementations of Android-based encryption applications is investigated. Highly popular applications, including those by Google-endorsed "Top Developers", are considered. A number of major weaknesses in the implementation of encryption within these applications is presented. This highlights the importance of both well-audited open-source cryptographic implementations, as well as the underlying cryptographic algorithms themselves, given the vulnerabilities identified in these applications. In many cases, there was no encryption in use by the application, and file headers were undergoing trivial static obfuscation, such that files would appear corrupted. In other cases, encryption algorithms were used, but with significant implementational errors. In these cases, plaintext recovery was still possible, due to the use of static keys for every installation of the app, and the re-use of cipher initialisation vectors.

Conference

Conference9th CMI Conference on Smart Living, Cyber Security and Privacy
CountryDenmark
CityCopenhagen
Period24/11/1625/11/16
Internet address

Fingerprint

Cryptography
Smartphones
Application programs
Recovery

Keywords

  • encryption
  • android
  • mobile devices
  • data security
  • theft
  • cipher initialisation vectors
  • software developers

Cite this

Paul, G., & Irvine, J. (2016). Investigating the security of android security applications. Paper presented at 9th CMI Conference on Smart Living, Cyber Security and Privacy, Copenhagen, Denmark.
Paul, Greig ; Irvine, James. / Investigating the security of android security applications. Paper presented at 9th CMI Conference on Smart Living, Cyber Security and Privacy, Copenhagen, Denmark.9 p.
@conference{72bbde42d8f242f3af5140ffab14a40a,
title = "Investigating the security of android security applications",
abstract = "Encryption is commonly used to provide confidentiality of sensitive or personal information when held on smartphones. While many Android devices feature inbuilt full-disk encryption as a precaution against theft of a device, this is not available on all devices, and doesn't provide security against a device which is turned on and in use. For this reason, a wide variety of applications are available within the Google Play Store, offering to encrypt user data. Modern, strong encryption offers strong assurances of confidentiality when used correctly, although the fundamental cryptographic primitives are complex, with many opportunities for mistakes to be made.The security of a number of implementations of Android-based encryption applications is investigated. Highly popular applications, including those by Google-endorsed {"}Top Developers{"}, are considered. A number of major weaknesses in the implementation of encryption within these applications is presented. This highlights the importance of both well-audited open-source cryptographic implementations, as well as the underlying cryptographic algorithms themselves, given the vulnerabilities identified in these applications. In many cases, there was no encryption in use by the application, and file headers were undergoing trivial static obfuscation, such that files would appear corrupted. In other cases, encryption algorithms were used, but with significant implementational errors. In these cases, plaintext recovery was still possible, due to the use of static keys for every installation of the app, and the re-use of cipher initialisation vectors.",
keywords = "encryption, android , mobile devices, data security, theft, cipher initialisation vectors, software developers",
author = "Greig Paul and James Irvine",
year = "2016",
month = "11",
day = "25",
language = "English",
note = "9th CMI Conference on Smart Living, Cyber Security and Privacy ; Conference date: 24-11-2016 Through 25-11-2016",
url = "http://www.conf.cmi.aau.dk/9th+CMI+Conference+2016/",

}

Paul, G & Irvine, J 2016, 'Investigating the security of android security applications' Paper presented at 9th CMI Conference on Smart Living, Cyber Security and Privacy, Copenhagen, Denmark, 24/11/16 - 25/11/16, .

Investigating the security of android security applications. / Paul, Greig; Irvine, James.

2016. Paper presented at 9th CMI Conference on Smart Living, Cyber Security and Privacy, Copenhagen, Denmark.

Research output: Contribution to conferencePaper

TY - CONF

T1 - Investigating the security of android security applications

AU - Paul,Greig

AU - Irvine,James

PY - 2016/11/25

Y1 - 2016/11/25

N2 - Encryption is commonly used to provide confidentiality of sensitive or personal information when held on smartphones. While many Android devices feature inbuilt full-disk encryption as a precaution against theft of a device, this is not available on all devices, and doesn't provide security against a device which is turned on and in use. For this reason, a wide variety of applications are available within the Google Play Store, offering to encrypt user data. Modern, strong encryption offers strong assurances of confidentiality when used correctly, although the fundamental cryptographic primitives are complex, with many opportunities for mistakes to be made.The security of a number of implementations of Android-based encryption applications is investigated. Highly popular applications, including those by Google-endorsed "Top Developers", are considered. A number of major weaknesses in the implementation of encryption within these applications is presented. This highlights the importance of both well-audited open-source cryptographic implementations, as well as the underlying cryptographic algorithms themselves, given the vulnerabilities identified in these applications. In many cases, there was no encryption in use by the application, and file headers were undergoing trivial static obfuscation, such that files would appear corrupted. In other cases, encryption algorithms were used, but with significant implementational errors. In these cases, plaintext recovery was still possible, due to the use of static keys for every installation of the app, and the re-use of cipher initialisation vectors.

AB - Encryption is commonly used to provide confidentiality of sensitive or personal information when held on smartphones. While many Android devices feature inbuilt full-disk encryption as a precaution against theft of a device, this is not available on all devices, and doesn't provide security against a device which is turned on and in use. For this reason, a wide variety of applications are available within the Google Play Store, offering to encrypt user data. Modern, strong encryption offers strong assurances of confidentiality when used correctly, although the fundamental cryptographic primitives are complex, with many opportunities for mistakes to be made.The security of a number of implementations of Android-based encryption applications is investigated. Highly popular applications, including those by Google-endorsed "Top Developers", are considered. A number of major weaknesses in the implementation of encryption within these applications is presented. This highlights the importance of both well-audited open-source cryptographic implementations, as well as the underlying cryptographic algorithms themselves, given the vulnerabilities identified in these applications. In many cases, there was no encryption in use by the application, and file headers were undergoing trivial static obfuscation, such that files would appear corrupted. In other cases, encryption algorithms were used, but with significant implementational errors. In these cases, plaintext recovery was still possible, due to the use of static keys for every installation of the app, and the re-use of cipher initialisation vectors.

KW - encryption

KW - android

KW - mobile devices

KW - data security

KW - theft

KW - cipher initialisation vectors

KW - software developers

UR - http://www.conf.cmi.aau.dk/9th+CMI+Conference+2016/

M3 - Paper

ER -

Paul G, Irvine J. Investigating the security of android security applications. 2016. Paper presented at 9th CMI Conference on Smart Living, Cyber Security and Privacy, Copenhagen, Denmark.