Cryptographic Vulnerabilities in Android Applications

fireeye.pngFireEye has some new research that has found that of the free apps with over a million downloads, 88% use some cryptographic functionality provided by the Android platform and 62% of these have cryptographic vulnerabilities. What this means is that while the authors and the end users of these apps might think data is secure, it’s easier to decrypt the data that they would expect.

There seems to be trend at the moment for researchers to spot vulnerabilities, on all platforms, but not really explain how developers can prevent or fix such problems. Many of the cryptographic concepts are beyond all but the most experienced (or highly curious) developers. While developers of highly secure apps might have the time to look deeply into encryption, the average casual developer needs examples or libraries on which they can base their work.

As it happens, a library java-aes-crypto became available this week that’s a simple Android class for encrypting and decrypting strings, aiming to avoid the classic mistakes. There are also more libraries mentioned in my article on Encrypting Your Sensitive Data. I also have tips on Taking Care with Encryption. You might also like to read Tozny’s post on Making Better Mistakes