Negative results on mining crypto-API usage rules in Android apps

Jun Gao; Pingfan Kong; Li Li; Tegawende F. Bissyande; Jacques Klein

doi:10.1109/MSR.2019.00065

Negative results on mining crypto-API usage rules in Android apps

Jun Gao, Pingfan Kong, Li Li, Tegawende F. Bissyande, Jacques Klein

Department of Software Systems & Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

19 Citations (Scopus)

Abstract

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

Original language	English
Title of host publication	Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019
Editors	Bram Adams, Sonia Haiduc
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	388-398
Number of pages	11
ISBN (Electronic)	9781728134123
ISBN (Print)	9781728133706
DOIs	https://doi.org/10.1109/MSR.2019.00065
Publication status	Published - 2019
Event	IEEE International Working Conference on Mining Software Repositories 2019 - Montreal, Canada Duration: 26 May 2019 → 27 May 2019 Conference number: 16th https://conf.researchr.org/home/msr-2019 https://ieeexplore.ieee.org/xpl/conhome/8804710/proceeding (Proceedings)

Conference

Conference	IEEE International Working Conference on Mining Software Repositories 2019
Abbreviated title	MSR 2019
Country/Territory	Canada
City	Montreal
Period	26/05/19 → 27/05/19
Internet address	https://conf.researchr.org/home/msr-2019 https://ieeexplore.ieee.org/xpl/conhome/8804710/proceeding (Proceedings)

Keywords

Android
Cryptography
Rule mining

Access to Document

10.1109/MSR.2019.00065

Cite this

Gao, J., Kong, P., Li, L., Bissyande, T. F., & Klein, J. (2019). Negative results on mining crypto-API usage rules in Android apps. In B. Adams, & S. Haiduc (Eds.), Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019 (pp. 388-398). [8816738] IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/MSR.2019.00065

@inproceedings{5d43dee7e721475cb86e8808fdc42f77,

title = "Negative results on mining crypto-API usage rules in Android apps",

abstract = "Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.",

keywords = "Android, Cryptography, Rule mining",

author = "Jun Gao and Pingfan Kong and Li Li and Bissyande, {Tegawende F.} and Jacques Klein",

year = "2019",

doi = "10.1109/MSR.2019.00065",

language = "English",

isbn = "9781728133706",

pages = "388--398",

editor = "Adams, {Bram } and Sonia Haiduc",

booktitle = "Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "IEEE International Working Conference on Mining Software Repositories 2019, MSR 2019 ; Conference date: 26-05-2019 Through 27-05-2019",

url = "https://conf.researchr.org/home/msr-2019, https://ieeexplore.ieee.org/xpl/conhome/8804710/proceeding",

}

Gao, J, Kong, P, Li, L, Bissyande, TF & Klein, J 2019, Negative results on mining crypto-API usage rules in Android apps. in B Adams & S Haiduc (eds), Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019., 8816738, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 388-398, IEEE International Working Conference on Mining Software Repositories 2019, Montreal, Quebec, Canada, 26/05/19. https://doi.org/10.1109/MSR.2019.00065

Negative results on mining crypto-API usage rules in Android apps. / Gao, Jun; Kong, Pingfan; Li, Li et al.

Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019. ed. / Bram Adams; Sonia Haiduc. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. p. 388-398 8816738.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Negative results on mining crypto-API usage rules in Android apps

AU - Gao, Jun

AU - Kong, Pingfan

AU - Li, Li

AU - Bissyande, Tegawende F.

AU - Klein, Jacques

N1 - Conference code: 16th

PY - 2019

Y1 - 2019

N2 - Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

AB - Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

KW - Android

KW - Cryptography

KW - Rule mining

UR - http://www.scopus.com/inward/record.url?scp=85072307902&partnerID=8YFLogxK

U2 - 10.1109/MSR.2019.00065

DO - 10.1109/MSR.2019.00065

M3 - Conference Paper

AN - SCOPUS:85072307902

SN - 9781728133706

SP - 388

EP - 398

BT - Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019

A2 - Adams, Bram

A2 - Haiduc, Sonia

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - IEEE International Working Conference on Mining Software Repositories 2019

Y2 - 26 May 2019 through 27 May 2019

ER -

Gao J, Kong P, Li L, Bissyande TF, Klein J. Negative results on mining crypto-API usage rules in Android apps. In Adams B, Haiduc S, editors, Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2019. p. 388-398. 8816738 https://doi.org/10.1109/MSR.2019.00065

Negative results on mining crypto-API usage rules in Android apps

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this