Rule #4 - 1,076 apps - Don't use the operation mode CBC (client/server scenarios)
These are basic rules that any cryptographer knows very well, but rules that some app developers might not be aware of without having studied app security (AppSec) or advanced cryptography prior to entering the app development space.
Only 18 of 306 app developers replied to the research team
The Columbia University academics said that after they tested the apps, they also contacted all the developers of the 306 Android applications found to be vulnerable.
"All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million," the research team said. "Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings."
While some crypto bugs were in an application's code, some common bugs were also being introduced as part of Java libraries used as part of the apps.
The researchers say they also contacted the developers of six popular Android libraries, but just like before, they only received answers from two of them.
Since none of the developers fixed their apps and libraries, researchers refrained from publishing the names of the vulnerable apps and libraries, citing possible exploitation attempts against the apps' users.
A complementary tool to CryptoGuard
All in all, the research team believes they've built a powerful tool that can be reliably used by Android developers as a complementary utility to CryptoGuard.
The two tools are complementary because CryptoGuard is a static analyzer (analyzes source code before being executed), while CRYLOGGER is a dynamic analysis tool (analyzes code while it's being executed). Since the two work on different levels, academics believe both could be used to detect cryptography-related bus in Android apps before app code hits user devices.
Just like CryptoGuard, CRYLOGGER's code is also available on GitHub.