Hundreds of Android apps may come with one of these nasty crypto bugs

News
By published

None of the Android apps are yet to patch, so make sure your device is protected

(Image credit: Shutterstock)

Many popular Android apps have been found to be misusing cryptographic code, potentially putting users and their devices at risk.

Researchers from Columbia University uncovered a number of major flaws across multiple app categories that they say show many developers are using cryptographic code in an unsafe way.

The team found bugs or flaws in hundreds of Android apps, with some culprits breaking multiple rules in how to use such code properly, showing that understanding of even basic guidelines is still lacking in large parts of the mobile development industry.

Android flaws

To carry out their research, the Columbia team developed a custom tool named CRYLOGGER that was able to analyze Android apps for the 26 basic cryptography rules, including guidelines such as not using weak passwords, broken encryption, and not using HTTPS.

Overall, CRYLOGGER was tested on the most popular Android apps across 33 different categories on the Google Play Store during September and October 2019.

Of the 1,780 apps tested, 306 were found to break at least one rule, with some breaking multiple guidelines. The most common rules to be broken were, "don't use an unsafe PRNG (pseudorandom number generator)" (broken by 1,775 apps), "Don't use broken hash functions (SHA1, MD2, MD5, etc.)" (1,764 apps) and "Don't use the operation mode CBC (client/server scenarios)" (1,076 apps).

The researchers noted that such rules would be well known to specialized cryptographers, but many regular app developers may be lacking in the specific knowledge or skills to use such tools properly, with this shortfall potentially putting users at risk.

The team reached out to the developers of the 306 Android applications found to be vulnerable, some of which had millions of downloads. 

"Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings," they noted, adding that they also contacted the developers of six popular Android libraries, but only heard back from two of them.

Via ZDNet

Mike Moore
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Latest in Software & Services
TinEye website
I like this reverse image search service the most
A person in a wheelchair working at a computer.
Here’s a free way to find long lost relatives and friends
A white woman with long brown hair in a ponytail looks down at her computer in a distressed manner. She is holding her forehead with one hand and a credit card with the other
This people search finder covers all the bases, but it's not perfect
That's Them home page
Is That's Them worth it? My honest review
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
A person at a desktop computer working on spreadsheet tables.
Trello vs Jira: which project management solution is best for you?
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
More about software services
A person in a wheelchair working at a computer.

Here’s a free way to find long lost relatives and friends
A white woman with long brown hair in a ponytail looks down at her computer in a distressed manner. She is holding her forehead with one hand and a credit card with the other

This people search finder covers all the bases, but it's not perfect
iFi iDSD Valkyrie in gold, on a beige desk

iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla

See more latest
Most Popular
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns