CryptAnalyze

A Static Analysis tool, based on Soot, for specifically analyzing Android APKs, to identify certain cryptographic rules.

The safety properties that it looks for are the following:

• Modes should not be ECB (at least not for multiple blocks being encrypted)
• Static Initialization Vectors (IVs) shouldn’t be used
• Constant encryption keys shouldn’t be used
• Constant salts shouldn’t be used
• Password Based Encryption should make use of at least 1000 iterations
• Secure Random shouldn’t be statically seeded

The tool outputs a text file, under a "Logs" directory, that it generates during the course of execution. The text file enlists the violations, if any.

References:

• Soot
• Soot-infoflow
• Soot-infoflow-android