NOWSECURE
PROJECT
Collins,
Stacey D
Defersha,
Endale A
Jacobson,
Rhiannon
N
Peterka,
Joseph D
Spring 2022

WHAT TYPE OF PATTERN OF
SECURITY RISK OR MALWARE
DID YOU ATTEMPT TO FIND?

SUMMARY IN REVIEW
• 1007 distinct apps associated to 79 distinct countries.
• 207 (20.6%) of apps have key size vulnerabilities.
• There was no significant difference in key size vulnerabilities based on geographic
region from which the app originated.

BACKGROUND
Use of a digital signature is important for users of applications to know the data
being transferred is coming from the correct users.
Appropriate key sizes, as well as other cryptographic based security measures,
are necessary in protecting information, specifically for apps that deal with
sensitive information.
In the NowSecure provided data, Apps that have a key size vulnerability have a
keysize_check variable value equal to True.
If keysize_check is True, then the app uses a weak key size which could lead to
forged digital signatures, and if False then no such vulnerability was found.
Please note that a True value does not indicate that a digital signature has been forged, but simply that the
vulnerability exists within the application that could lead to a forgery

SECURITY ISSUES RELATED TO
THE KEY SIZE
dependent variable:
• keysize_check
Independent variables:
• secure_random_check
• change_cipher_spec_check
• certificate_validity_check
• sqlcipher_key_leakage_check

HOW DID YOU GO ABOUT
FINDING THIS SECURITY RISK
ACROSS ALL
THE NOWSECURE APPS?

APPROACH
• Conducted two phases of Experiments
 Model 1) Using 2 of the proposed independent variables
• secure_random_check
• sqlcipher_key_leakage_check
 two were removed because they didn't vary - all values were false
• change_cipher_spec_check
• certificate_validity_check
 Model 2) Including all variables with chi-sq p-value <0.25

CHI-SQ TABLE
Variable Name Chi-Sq p-value DF
secure_random_check 4.59 0.032 1
sends_sms_check 2.58 0.109 1
dirtycow_check 1.99 0.158 1
javascript_interface_check 1.87 0.171 1
allow_backup_check 1.81 0.179 1
decode_apk_check 1.65 0.199 1
publisher_global_location 3.85 0.427 4
auto_generated_screenshots_check 0.41 0.520 1
application_overprivileged_check 0.26 0.611 1
sqlcipher_key_leakage_check 0.26 0.612 1
decompile_apk_check 0.22 0.640 1
get_reflection_code 0.07 0.787 1
obfuscation_check 0.07 0.787 1
okhttp_vuln_check 0.01 0.905 1
dynamic_code_loading_check 0.00 0.979 1
certificate_validity_check 0.00 1.000 0
change_cipher_spec_check 0.00 1.000 0
debug_flag_check 0.00 1.000 0
extract_lib_info 0.00 1.000 0
get_native_methods 0.00 1.000 0
heartbleed_check 0.00 1.000 0
master_key_check 0.00 1.000 0

STEPS
looked at the odds ratios of the vulnerabilities in the independent variables to quantify the size of the relationship
between the independent vulnerabilities and the key size vulnerability
Is vulnerability in one independent variable significantly
more likely to experience a key size vulnerability?
The odds ratios will allow us to quantify the size of that
likelihood
examined the output of the model to determine which independent variables are significant in relation to the dependent
variable, and which, if any, are not
created a logistic regression model to examine relationship between our dependent and independent variables

Results from Experiment 1

Results from Experiment 2

ODDS RATIOS COMPARISON
MODEL 1
Variable Name OR (CI)
secure_random_check 1.68 (1.07, 2.66) *
sqlcipher_key_leakage_check 0.68 (0.23, 1.98)
* = odds ratio significantly different from 1
MODEL 2
Variable Name OR (CI)
dirtycow_check 1.50 (0.90, 2.51)
sends_sms_check 1.64 (0.87, 3.10)
decode_apk_check 0.30 (0.06, 1.50)
allow_backup_check 0.78 (0.57, 1.07)
secure_random_check 1.82 (1.14, 2.90) *
javascript_interface_check 1.34 (0.89, 2.03)
* = odds ratio significantly different from 1

WHAT DID YOU FIND? DO YOU HAVE A
LIST OF INSECURE APPS? OR PATTERNS
OF INSECURE LIBRARIES OR OTHER
ASPECTS OF APPS?

FINDINGS
• Only secure_random_check was significant
• Model1
• odds ratio of 1.68 (95% CI 1.07 - 2.66)
• Model 2
• odds ratio of 1.82 (95% CI 1.14 - 2.90)
• Country Association
• 1007 applications – representing 48 categories and developed across 79 distinct countries
• 57 apps were unable to be logically associated to a country of origin
• A unique trend by location was found to be insignificant

Total Apps Vulnerable Keysize %
Africa 15 1 6.7%
Americas 333 63 18.9%
Asia 386 85 22.0%
Europe 163 48 29.4%
Oceania 13 3 23.1%

DO YOU THINK THERE ARE ANY
IMPLICATIONS OF WHAT YOU’VE FOUND? IS
IT NOVEL? IS IT WORTH OTHERS CHECKING
ON THE APPS OR OTHER FINDINGS YOU
HAVE?

IMPLICATIONS
• Model1:odds ratio of 1.68 (95% CI 1.07 - 2.66)
• apps that have a secure_random_check vulnerability
are 1.68 times as likely to also have a keysize_check
vulnerability than those apps that do not have a
secure_random_check vulnerability
• Model 2 : odds ratio of 1.80 (95% CI 1.14 - 2.90)
• apps that have
a secure_random_check vulnerability are 1.80 times as
likely to also have a keysize_check vulnerability than
those apps that do not have
a secure_random_check vulnerability
• Country Attribution
• Associating Apps to Country of Origin
• Global Associations

THE END