Negative results on mining crypto-API usage rules in Android apps

Jun Gao, Pingfan Kong, Li Li, Tegawende F. Bissyande, Jacques Klein

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

1 Citation (Scopus)

Abstract

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

Original languageEnglish
Title of host publicationProceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019
EditorsBram Adams, Sonia Haiduc
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages388-398
Number of pages11
ISBN (Electronic)9781728134123
ISBN (Print)9781728133706
DOIs
Publication statusPublished - 2019
EventIEEE International Working Conference on Mining Software Repositories 2019 - Montreal, Canada
Duration: 26 May 201927 May 2019
Conference number: 16th
https://conf.researchr.org/home/msr-2019

Conference

ConferenceIEEE International Working Conference on Mining Software Repositories 2019
Abbreviated titleMSR 2019
CountryCanada
CityMontreal
Period26/05/1927/05/19
Internet address

Keywords

  • Android
  • Cryptography
  • Rule mining

Cite this

Gao, J., Kong, P., Li, L., Bissyande, T. F., & Klein, J. (2019). Negative results on mining crypto-API usage rules in Android apps. In B. Adams, & S. Haiduc (Eds.), Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019 (pp. 388-398). [8816738] Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/MSR.2019.00065
Gao, Jun ; Kong, Pingfan ; Li, Li ; Bissyande, Tegawende F. ; Klein, Jacques. / Negative results on mining crypto-API usage rules in Android apps. Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019. editor / Bram Adams ; Sonia Haiduc. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. pp. 388-398
@inproceedings{5d43dee7e721475cb86e8808fdc42f77,
title = "Negative results on mining crypto-API usage rules in Android apps",
abstract = "Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.",
keywords = "Android, Cryptography, Rule mining",
author = "Jun Gao and Pingfan Kong and Li Li and Bissyande, {Tegawende F.} and Jacques Klein",
year = "2019",
doi = "10.1109/MSR.2019.00065",
language = "English",
isbn = "9781728133706",
pages = "388--398",
editor = "Adams, {Bram } and Sonia Haiduc",
booktitle = "Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
address = "United States of America",

}

Gao, J, Kong, P, Li, L, Bissyande, TF & Klein, J 2019, Negative results on mining crypto-API usage rules in Android apps. in B Adams & S Haiduc (eds), Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019., 8816738, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 388-398, IEEE International Working Conference on Mining Software Repositories 2019, Montreal, Canada, 26/05/19. https://doi.org/10.1109/MSR.2019.00065

Negative results on mining crypto-API usage rules in Android apps. / Gao, Jun; Kong, Pingfan; Li, Li; Bissyande, Tegawende F.; Klein, Jacques.

Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019. ed. / Bram Adams; Sonia Haiduc. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. p. 388-398 8816738.

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

TY - GEN

T1 - Negative results on mining crypto-API usage rules in Android apps

AU - Gao, Jun

AU - Kong, Pingfan

AU - Li, Li

AU - Bissyande, Tegawende F.

AU - Klein, Jacques

PY - 2019

Y1 - 2019

N2 - Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

AB - Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

KW - Android

KW - Cryptography

KW - Rule mining

UR - http://www.scopus.com/inward/record.url?scp=85072307902&partnerID=8YFLogxK

U2 - 10.1109/MSR.2019.00065

DO - 10.1109/MSR.2019.00065

M3 - Conference Paper

AN - SCOPUS:85072307902

SN - 9781728133706

SP - 388

EP - 398

BT - Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019

A2 - Adams, Bram

A2 - Haiduc, Sonia

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

ER -

Gao J, Kong P, Li L, Bissyande TF, Klein J. Negative results on mining crypto-API usage rules in Android apps. In Adams B, Haiduc S, editors, Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2019. p. 388-398. 8816738 https://doi.org/10.1109/MSR.2019.00065