A Case Study of Mobile Health Applications: The OWASP Risk of Insufficient Cryptography

Source:
By:Author(s)

DOI: https://doi.org/10.30564/jcsr.v4i1.4271

Abstract:

Mobile devices are being deployed rapidly for both private and professional reasons. One area of that has been growing is in releasing healthcare applications into the mobile marketplaces for health management. These applications help individuals track their own biorhythms and contain sensitive information. This case study examines the source code of mobile applications released to GitHub for the Risk of Insufficient Cryptography in the Top Ten Mobile Open Web Application Security Project risks. We first develop and justify a mobile OWASP Cryptographic knowledgegraph for detecting security weaknesses specific to mobile applications which can be extended to other domains involving cryptography. We then analyze the source code of 203 open source healthcare mobile applications and report on their usage of cryptography in the applications. Our findings show that none of the open source healthcare applications correctly applied cryptography in all elements of their applications. As humans adopt healthcare applications for managing their health routines, it is essential that they consider the privacy and security risks they are accepting when sharing their data. Furthermore, many open source applications and developers have certain environmental parameters which do not mandate adherence to regulations. In addition to creating new free tools for security risk identifications during software development such as standalone or compiler-embedded, the article suggests awareness and training modules for developers prior to marketplace software release.

References:

[1] Curry, D., 2021. Android Statistics (2021). https://www.businessofapps.com/data/android-statistics [2] Braga, A.M., Dahab, R., 2016. Towards a Methodology for the Development of Secure Cryptographic Software. 2016 International Conference on Software Security and Assurance (ICSSA). pp. 25-30. DOI: https://doi.org/10.1109/ICSSA.2016.12 [3] Haney, J.M., Garfinkel, S.L., Theofanos, M.F., 2017. Organizational practices in cryptographic development and testing. 2017 IEEE Conference on Communications and Network Security (CNS). pp. 1-9. DOI: https://doi.org/10.1109/CNS.2017.8228643 [4] Nanisura Damanik, V.N., Sunaringtyas, S.U., 2020. Secure Code Recommendation Based on Code Review Result Using OWASP Code Review Guide. 2020 International Workshop on Big Data and Information Security (IWBIS). pp. 153-158. DOI: https://doi.org/10.1109/IWBIS50925.2020.9255559 [5] Bojanova, I., Black, P.E., Yesha, Y., September 25- 28, 2017. Cryptography Classes in Bugs Framework (BF): Encryption Bugs (ENC), Verification Bugs (VRF), and Key Management Bugs (KMN). IEEE Software Technology Conference (STC 2017), NIST, Gaithersburg, USA. [6] MITRE, 2021. CWE-780 Use of RSA Algorithm without OAEP. https://cwe.mitre.org/data/definitions/780.html [7] Lazar, D., Chen, H.G., Wang, X., Zeldovich, N., 2014. Why does cryptographic software fail? a case study and open problems. In Proceedings of 5th Asia-Pacific Workshop on Systems (APSys '14). Association for Computing Machinery, New York, NY, USA. Article 7, 1-7. DOI: https://doi.org/10.1145/2637166.2637237 [8] Egele, M., Brumley, D., Fratantonio, Y., Kruegel, Ch., 2013. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). Association for Computing Machinery, New York, NY, USA. pp. 73-84. DOI: https://doi.org/10.1145/2508859.2516693 [9] Shuai, S., Guowei, D., Tao, G., Tianchang, Y., Chenjie, S., 2014. Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing. pp. 75-80. DOI: https://doi.org/10.1109/DASC.2014.22 [10] Gao, J., Kong, P., Li, L., Bissyandé, T.F., Klein, J., 2019. Negative Results on Mining Crypto-API Usage Rules in Android Apps. 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). pp. 388-398. DOI: https://doi.org/10.1109/MSR.2019.00065 [11] Singleton, L., Zhao, R., Song, M., Siy, H., 2019. FireBugs: Finding and Repairing Bugs with Security Patterns. 2019 IEEE/ACM 6th International Conference on Mobile Software Engineering and Systems (MOBILESoft). pp. 30-34. DOI: https://doi.org/10.1109/MOBILESoft.2019.00014 [12] Gajrani, J., Tripathi, M., Laxmi, V., Gaur, M.S., Conti, M., Rajarajan, M., 2017. sPECTRA: A precise framework for analyzing cryptographic vulnerabilities in Android apps. 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC). pp. 854-860. DOI: https://doi.org/10.1109/CCNC.2017.7983245 [13] CMU SEI, 2021. MSC61-J. Do not use insecure or weak cryptographic algorithms. https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms [14] Sabt, M., Traore, J., 2016. Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore. in 21st European Symposium on Research in Computer Security (ESORICS), Heraklion, Greece. [15] Sincerbox, C., March/April 2014. Security Sessions: Exploring Weak Ciphers. [Online]. Available: https://electricenergyonline.com/energy/magazine/779/article/Security-Sessions-Exploring-Weak-Ciphers.htm [16] CMU SEI, 2021. MSC62-J. Store passwords using a hash function. https://wiki.sei.cmu.edu/confluence/display/java/MSC62-J.+Store+passwords+using+a+hash+function [17] OWASP, 2021. Mobile Top 10 2016-M5-Insufficient Cryptography. [Online]. Available: https://www.owasp.org/index.php/Mobile_Top_10_2016-M5-Insufficient_Cryptography [18] Cole, S., October 30 2018. New Study Suggests People Are Keeping Their Phones Longer Because There's Not Much Reason to Upgrade. [19] Henry, J., 3 August 2018. 3DES is Officially Being Retired. [Online]. Available: https://www.cryptomathic.com/news-events/blog/3des-is-officially-being-retired [20] Google, 26 January 2019. Full-Disk Encryption. [Online]. Available: https://source.android.com/security/encryption/full-disk [21] Google, 26 January 2019. Encryption. [Online]. Available: https://source.android.com/security/encryption [22] Google, 1 January 2019. File-Based Encryption. [Online]. Available: https://source.android.com/security/encryption/file-based [23] HHS, 2021. Covered Entities and Business Associates. https://www.hhs.gov/hipaa/for-professionAls/covered-entities/index.html [24] FTC, 2021. Health Breach Notification Rule. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/health-breach-notification-rule [25] Oracle, 2021. Java SE 14 Security Developer's Guide. https://docs.oracle.com/en/java/javase/14/security/java-cryptography-architecture-jca-reference-guide.html [26] Mansi Sheth, 2017. Encryption and Decryption in Java Cryptography. https://www.veracode.com/blog/research/encryption-and-decryption-java-cryptography [27] CMU SEI, 2021. DRD17-J. Do not use the Android cryptographic security provider encryption default for AES. [28] CMU SEI, 2021. MSC63-J. Ensure that SecureRandom is properly seeded. https://wiki.sei.cmu.edu/confluence/display/java/MSC63-J.+Ensure+that+SecureRandom+is+properly+seeded [29] CMU SEI, 2021. MSC02-J. Generate strong random numbers. [30] Grassi, P., Fenton, J., Newton, E., Perlner, R., Regensheid, A., Burr, W., Richer, J., 2017. National Institute of Standards and Technology (NIST) Special Publication 800-63B. https://pages.nist.gov/800-63-3/sp800-63b.html [31] Zetetic LLC, 2021. android-database-sqlcipher. https://github.com/sqlcipher/android-database-sqlcipher