Cryptographic API Misuses in Industry: A Case Study on Prevalence and Remediation
Resumo
Correct use of cryptographic APIs is crucial for data security in enterprise systems, yet remains challenging. This paper reports our experience applying CogniCrypt and CryptoGuard to detect cryptographic API misuses in 17 Java artifacts from a large agricultural research company. We identified 67 vulnerabilities—primarily involving insecure modes (e.g., AES/ECB) and key management issues—with 34 concentrated in a shared architectural component. Through a developer focus group and manual remediation, we assessed the tools’ effectiveness and developers’ perceptions, highlighting challenges in Static Application Security Testing (SAST) adoption and legacy code maintenance. As a practical contribution, we share our experience fixing the vulnerabilities and outline a migration strategy—necessary to ensure continued system functionality—that supports algorithm coexistence during and API compatibility.Referências
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M. L., and Stransky, C. (2016). You get where you’re looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP), pages 289–305.
Ami, A. S., Cooper, N., Kafle, K., Moran, K., Poshyvanyk, D., and Nadkarni, A. (2022). Why crypto-detectors fail: A systematic evaluation of cryptographic misuse detection techniques. In 2022 IEEE Symposium on Security and Privacy (SP), pages 614–631. IEEE.
Artiles, J., Chaves, D., and Pimentel, C. (2019). Image encryption using block cipher and chaotic sequences. Signal Processing: Image Communication, 79.
Dworkin, M. (2001). Recommendation for block cipher modes of operation. Technical report, NIST Special Publication 800-38A. Disponível em: [link].
Firouzi, E., Ghafari, M., and Ebrahimi, M. (2024). Chatgpt’s potential in cryptography misuse detection: A comparative analysis with static analysis tools. In Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, pages 582–588.
Hazhirpasand, M., Ghafari, M., and Nierstrasz, O. (2020). Java cryptography uses in the wild. In Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pages 1–6.
Krüger, S., Ali, K., and Bodden, E. (2020). Cognicryptgen: generating code for the secure usage of crypto apis. In Proceedings of the 18th ACM/IEEE International Symposium on Code Generation and Optimization (CGO ’20), pages 185–198, New York, NY, USA. Association for Computing Machinery.
Krüger, S., Nadi, S., Reif, M., Ali, K., Mezini, M., Bodden, E., Göpfert, F., Günther, F., Weinert, C., Demmler, D., and Kamath, R. (2017). Cognicrypt: supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE ’17), pages 931–936. IEEE Press.
Krüger, S., Späth, J., Ali, K., Bodden, E., and Mezini, M. (2021). CrySL: An extensible approach to validating the correct usage of cryptographic APIs. IEEE Transactions on Software Engineering, 47(11):2382–2400.
Meng, N., Nagy, S., Yao, D. D., Zhuang, W., and Argoty, G. A. (2018). Secure coding practices in java: challenges and vulnerabilities. In Proceedings of the 40th International Conference on Software Engineering, ICSE ’18, page 372–383, New York, NY, USA. Association for Computing Machinery.
MITRE Corporation (2024). CWE – Common Weakness Enumeration. [link]. Acesso em: 20 mai. 2025.
Nadi, S., Krüger, S., Mezini, M., and Bodden, E. (2016). Jumping through hoops: why do Java developers struggle with cryptography APIs? In Proceedings of the 38th International Conference on Software Engineering (ICSE ’16), pages 935–946, New York, NY, USA. Association for Computing Machinery.
OWASP Foundation (2021). OWASP Top 10:2021 - The Ten Most Critical Web Application Security Risks. [link]. Acesso em: 20 jul. 2025.
OWASP Foundation (2023). OWASP API Security Top 10. [link]. Acesso em: 13 jul. 2025].
Rahaman, S., Xiao, Y., Afrose, S., Shaon, F., Tian, K., Frantz, M., Kantarcioglu, M., and Yao, D. D. (2019). CryptoGuard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19), pages 2455–2472, New York, NY, USA. Association for Computing Machinery.
Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M., Legunsen, O., Bodden, E., and Dias Canedo, E. (2023). Runtime verification of crypto apis: An empirical study. IEEE Transactions on Software Engineering, 49(10):4510–4525.
Trautsch, A., Herbold, S., and Grabowski, J. (2023). Are automated static analysis tools worth it? an investigation into relative warning density and external software quality on the example of apache open source projects. Empirical Software Engineering, 28(3):66.
Zhang, Y., Kabir, M. M. A., Xiao, Y., Yao, D. D., and Meng, N. (2022). Automatic detection of java cryptographic api misuses: Are we there yet. IEEE Transactions on Software Engineering, page 1–1.
Ami, A. S., Cooper, N., Kafle, K., Moran, K., Poshyvanyk, D., and Nadkarni, A. (2022). Why crypto-detectors fail: A systematic evaluation of cryptographic misuse detection techniques. In 2022 IEEE Symposium on Security and Privacy (SP), pages 614–631. IEEE.
Artiles, J., Chaves, D., and Pimentel, C. (2019). Image encryption using block cipher and chaotic sequences. Signal Processing: Image Communication, 79.
Dworkin, M. (2001). Recommendation for block cipher modes of operation. Technical report, NIST Special Publication 800-38A. Disponível em: [link].
Firouzi, E., Ghafari, M., and Ebrahimi, M. (2024). Chatgpt’s potential in cryptography misuse detection: A comparative analysis with static analysis tools. In Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, pages 582–588.
Hazhirpasand, M., Ghafari, M., and Nierstrasz, O. (2020). Java cryptography uses in the wild. In Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pages 1–6.
Krüger, S., Ali, K., and Bodden, E. (2020). Cognicryptgen: generating code for the secure usage of crypto apis. In Proceedings of the 18th ACM/IEEE International Symposium on Code Generation and Optimization (CGO ’20), pages 185–198, New York, NY, USA. Association for Computing Machinery.
Krüger, S., Nadi, S., Reif, M., Ali, K., Mezini, M., Bodden, E., Göpfert, F., Günther, F., Weinert, C., Demmler, D., and Kamath, R. (2017). Cognicrypt: supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE ’17), pages 931–936. IEEE Press.
Krüger, S., Späth, J., Ali, K., Bodden, E., and Mezini, M. (2021). CrySL: An extensible approach to validating the correct usage of cryptographic APIs. IEEE Transactions on Software Engineering, 47(11):2382–2400.
Meng, N., Nagy, S., Yao, D. D., Zhuang, W., and Argoty, G. A. (2018). Secure coding practices in java: challenges and vulnerabilities. In Proceedings of the 40th International Conference on Software Engineering, ICSE ’18, page 372–383, New York, NY, USA. Association for Computing Machinery.
MITRE Corporation (2024). CWE – Common Weakness Enumeration. [link]. Acesso em: 20 mai. 2025.
Nadi, S., Krüger, S., Mezini, M., and Bodden, E. (2016). Jumping through hoops: why do Java developers struggle with cryptography APIs? In Proceedings of the 38th International Conference on Software Engineering (ICSE ’16), pages 935–946, New York, NY, USA. Association for Computing Machinery.
OWASP Foundation (2021). OWASP Top 10:2021 - The Ten Most Critical Web Application Security Risks. [link]. Acesso em: 20 jul. 2025.
OWASP Foundation (2023). OWASP API Security Top 10. [link]. Acesso em: 13 jul. 2025].
Rahaman, S., Xiao, Y., Afrose, S., Shaon, F., Tian, K., Frantz, M., Kantarcioglu, M., and Yao, D. D. (2019). CryptoGuard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19), pages 2455–2472, New York, NY, USA. Association for Computing Machinery.
Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M., Legunsen, O., Bodden, E., and Dias Canedo, E. (2023). Runtime verification of crypto apis: An empirical study. IEEE Transactions on Software Engineering, 49(10):4510–4525.
Trautsch, A., Herbold, S., and Grabowski, J. (2023). Are automated static analysis tools worth it? an investigation into relative warning density and external software quality on the example of apache open source projects. Empirical Software Engineering, 28(3):66.
Zhang, Y., Kabir, M. M. A., Xiao, Y., Yao, D. D., and Meng, N. (2022). Automatic detection of java cryptographic api misuses: Are we there yet. IEEE Transactions on Software Engineering, page 1–1.
Publicado
01/09/2025
Como Citar
JESUS, Joilton Almeida de; AMARAL, Luís Henrique Vieira; BONIFÁCIO, Rodrigo.
Cryptographic API Misuses in Industry: A Case Study on Prevalence and Remediation. In: TRILHA DE INTERAÇÃO COM A INDÚSTRIA E DE INOVAÇÃO - SIMPÓSIO BRASILEIRO DE CIBERSEGURANÇA (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 405-413.
DOI: https://doi.org/10.5753/sbseg_estendido.2025.12030.
