Java Cryptography Uses in the Wild

Hazhirpasand, Mohammadreza; Ghafari, Mohammad; Nierstrasz, Oscar (October 2020). Java Cryptography Uses in the Wild. In: 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2020). 10.1145/3382494.3422166

[img] Text
Hazh20c.pdf - Accepted Version
Restricted to registered users only
Available under License Publisher holds Copyright.

Download (539kB)
[img] Text
3382494.3422166.pdf - Published Version
Restricted to registered users only
Available under License Publisher holds Copyright.

Download (514kB)

Background Previous research has shown that developers commonly misuse cryptography APIs. Aim We have conducted an exploratory study to find out how crypto APIs are used in open-source Java projects, what types of misuses exist, and why developers make such mistakes. Method We used a static analysis tool to analyze hundreds of open-source Java projects that rely on Java Cryptography Architecture, and manually inspected half of the analysis results to assess the tool results. We also contacted the maintainers of these projects by creating an issue on the GitHub repository of each project, and discussed the misuses with developers. Results We learned that 85\% of Cryptography APIs are misused, however, not every misuse has severe consequences. Developer feedback showed that security caveats in the documentation of crypto APIs are rare, developers may overlook misuses that originate in third-party code, and the context where a Crypto API is used should be taken into account. Conclusion We conclude that using Crypto APIs is still problematic for developers but blindly blaming them for such misuses may lead to erroneous conclusions.

Item Type:

Conference or Workshop Item (Paper)

Division/Institute:

08 Faculty of Science > Institute of Computer Science (INF)
08 Faculty of Science > Institute of Computer Science (INF) > Software Composition Group (SCG) [discontinued]

UniBE Contributor:

Hazhirpasand Barkadehi, Mohammadreza, Ghafari, Mohammad, Nierstrasz, Oscar

Subjects:

000 Computer science, knowledge & systems
500 Science > 510 Mathematics

Funders:

[4] Swiss National Science Foundation

Language:

English

Submitter:

Oscar Nierstrasz

Date Deposited:

20 Apr 2021 11:58

Last Modified:

05 Dec 2022 15:49

Publisher DOI:

10.1145/3382494.3422166

ArXiv ID:

2009.01101v1

Uncontrolled Keywords:

scg-pub security snf-asa3 scg20 jb20 snf-imad

BORIS DOI:

10.48350/154503

URI:

https://boris.unibe.ch/id/eprint/154503

Actions (login required)

Edit item Edit item
Provide Feedback