Mining Cryptography Misuse In Online Forums

This work analyzes cryptography misuse by software developers, from their contributions to online forums on cryptography-based security and cryptographic programming. We studied three popular forums: Oracle Java Cryptography, Google Android Developers, and Google Android Security Discussions. We applied a data mining technique, namely Apriori, to elicit association rules among cryptographic bad practices, platform-specific issues, cryptographic programming tasks, and cryptography-related use cases. We found that, with surprisingly high probabilities (90% for Java and 71% for Android), several types of cryptography misuse can be found in the posts, but unfortunately masked by technology-specific issues and programming concerns. We also found that cryptographic bad practices frequently occur in pairs or triples. We related triple associations to use cases and tasks, characterizing worst case scenarios of cryptography misuse. Finally, we observed that hard-to-use architectures confuse developers and contribute to perpetuate recurring errors in cryptographic programming.143150IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C)AUG 01-03, 2016Vienna, AUSTRI