Tracing Cryptographic Agility in Android and iOS Apps

Cryptography algorithms are applicable in many use cases such as for example encryption, hashing, signing. Cryptography has been used since centuries, however some cryptography algorithms have been proven to be easily breakable (under certain configurations or conditions) and should thus be avoided. It is not easy for a developer with little cryptographic background to choose secure algorithms and configurations from the plenitude of options. Several publications already proved the disastrous cryptographic quality in mobile apps in the past. In this publication we research how cryptography of the top 2000 Android and iOS applications evolved over the past three years. We analyze at the example of the weak AES/ECB mode how and why apps changed from an insecure to a secure configuration and vice versa.