Identifying Crypto API Usages In Android Apps Using A Static Analysis Framework

Daisuke Sumita: Hello, everyone. I’m Daisuke Sumita from the National Police Agency, Japan. Today I’m going to be presenting on identifying crypto API usages in Android apps using a static analysis framework. This is a joint research with Professor Kanta Matsuura from Institute of Industrial Science, the University of Tokyo.

So let me begin with the motivation of our work. As you know, recent mobile apps often encrypt their local storage data. Such encryption prevents forensic investigator from quick data analysis. Fortunately there are many helpful existing works write against mobile apps data encryption. They rebuilt the encryption schemes, thus, we can decrypt the data. However, most of such works rely on manual analysis.

For handling mobile apps encryption, application analysis is key to the solution because mobile apps often derivate encryption keys and parameters using locally stored data. Then just repeating the encryption behavior in apps could decrypt encrypted data. So in this work we identify standard crypto API usages in Android apps via automatic regression analysis.

Next I would like to explain our problem definition. It’s common to use Cipher across API with standard Java crypto API, or data encryption in Android apps. For using Cipher across API some typical parameter are needed. Then we define our problem as an identification of parameter derivation used for Cipher API codes with Cipher decrypt mode. This could be extended for other crypto APIs.

Then this slide shows analysis approach overview for our program. We divide the analysis into three steps. First, find Cipher API calls with DECRYPT_MODE. Next analyze typical crypto API usages for each Cipher call. Finally, analyze source APIs for parameters derivation used for each crypto API call.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


I’d like to explain source parameter derivation for [inaudible] API calls a little more. We made these five categories for the sources. They indicates that encrypted data could be decrypted with locally stored data or not.

We built analysis implementation using an existing static analysis framework: Amandroid, [inaudible] its [inaudible] analysis capability. And we conduct analysis test for 139 real-world apps created from “F-Droid”. We successfully discover and identify 178 crypto API calls and 212 parameter sources.

Finally, let me briefly summarize our work. We select and categorize typical Android APIs, which is used for the parameters of Android standard crypto APIs. We develop a static analysis tool for Android apps, which identifies the usage of crypto APIs. We conduct experimental test on real-world Android apps. As a result, we can discover and identify crypto API calls and used parameters

In the future, we want to expand support for more parameters and improve accuracy of analysis. Thank you for listening.

Leave a Comment