Python Crypto Misuses in the Wild


Background Previous studies have shown that up to 99.59 % of the Java apps using crypto APIs misuse the API at least once. However, these studies have been conducted on Java and C, while empirical studies for other languages are missing. For example, a controlled user study with crypto tasks in Python has shown that 68.5 % of the professional developers write a secure solution for a crypto task. Aims To understand if this observation holds for real-world code, we conducted a study of crypto misuses in Python. Method We developed a static analysis tool that covers common misuses of 5 different Python crypto APIs. With this analysis, we analyzed 895 popular Python projects from GitHub and 51 MicroPython projects for embedded devices. Further, we compared our results with the findings of previous studies. Results Our analysis reveals that 52.26 % of the Python projects have at least one misuse. Further, some Python crypto libraries' API design helps developers from misusing crypto functions, which were much more common in studies conducted with Java and C code. Conclusion We conclude that we can see a positive impact of the good API design on crypto misuses for Python applications. Further, our analysis of MicroPython projects reveals the importance of hybrid analyses.

In Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
Anna-Katharina Wickert
Anna-Katharina Wickert
PhD student at Technische Universität Darmstadt

My research interests are focused on static code analysis, API-misuses, and software security. Currently, I focus on security problems caused by API-misuses, e.g., for cryptographic APIs.