CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs

Various studies have empirically shown that the majority of Java and Android applications misuse cryptographic libraries, causing devastating breaches data security. It is crucial to detect such misuses early in development process. To cryptography misuses, one must define secure uses first, a process mastered primarily by experts but not developers. In this paper, we present CrySL , specification language for bridging cognitive gap between enables specify usage libraries they provide. We implemented compiler translates into context-sensitive flow-sensitive demand-driven static analysis. The analysis then helps developers automatically checking given or app compliance with -encoded rules. designed an extensive rule set Cryptography Architecture (JCA), evaluated it analyzing 10,000 current apps all 204,788 software artefacts on Maven Central. Our results show APIs still widespread, 95 percent 63 containing at least misuse. easily extensible covers more violations than previous special-purpose tools contain hard-coded rules, while offering precise