Section: New Results

Verified Android Cryptographic Applications

Participants : Karthikeyan Bhargavan [correspondant] , Quentin Lefebvre [MPRI] .

With the emergence of application markets for smartphones, hundreds of third-party applications now use cryptography to protect sensitive user data before storing it on disk or sending it out on the network. However, using cryptographic mechanisms correctly to fulfill a desired security goal is challenging and error-prone, even for experts. Our goal is to build verification tools that developers may use to develop security proofs for their applications.

We show how to verify the security of third-party cryptographic applications written in Java for the Android platform. We first develop symbolic security specifications for classes in the JCA. We can then verify that applications that use these libraries satisfy their security goals, even in the presence of a Dolev-Yao adversary who controls the network, the disk, and potentially other applications on the device. We report preliminary verification results using the Krakatoa verification tool for Java programs.

We presented this work at the ASA workshop 2011 [23] .