Java Cryptography Uses in the Wild

Hazhirpasand, Mohammadreza; Ghafari, Mohammad; Nierstrasz, Oscar (October 2020). Java Cryptography Uses in the Wild. In: 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2020). 10.1145/3382494.3422166

	Text Hazh20c.pdf - Accepted Version Restricted to registered users only Available under License Publisher holds Copyright. Download (539kB) | Request a copy
	Text 3382494.3422166.pdf - Published Version Restricted to registered users only Available under License Publisher holds Copyright. Download (514kB) | Request a copy

Background Previous research has shown that developers commonly misuse cryptography APIs. Aim We have conducted an exploratory study to find out how crypto APIs are used in open-source Java projects, what types of misuses exist, and why developers make such mistakes. Method We used a static analysis tool to analyze hundreds of open-source Java projects that rely on Java Cryptography Architecture, and manually inspected half of the analysis results to assess the tool results. We also contacted the maintainers of these projects by creating an issue on the GitHub repository of each project, and discussed the misuses with developers. Results We learned that 85\% of Cryptography APIs are misused, however, not every misuse has severe consequences. Developer feedback showed that security caveats in the documentation of crypto APIs are rare, developers may overlook misuses that originate in third-party code, and the context where a Crypto API is used should be taken into account. Conclusion We conclude that using Crypto APIs is still problematic for developers but blindly blaming them for such misuses may lead to erroneous conclusions.

Interest & Impact

Downloads

3 since deposited on 20 Apr 2021
0 in the past 12 months

Citations

5 Citations in Web of Science ®
6 Citations in Scopus

Search

in Google Scholar™

Services

Actions (login required)

Edit item

Actions (login required)

Edit item