A team of researchers at Columbia University found bugs in 306 Android apps.
The researchers used CRYLOGGER, a custom open-source tool designed to analyse apps and spot whether developers used cryptographic codes in unsafe ways, the University said in a statement.
The tool was used to test 1,780 Android apps across 33 different categories on Google Play Store between September and October 2019. Some of these apps have up to 100 million downloads, the statement mentioned. It did not disclose names of the apps.
While some apps broke one basic cryptography rule, others broke multiple.
The team said it contacted each of the 306 vulnerable apps, of which only 18 responded. And only 8 apps reverted multiple times to provide feedback to the security research team.
Researchers also compared CRYLOGGER to CryptoGuard, a popular tool to detect crypto code misuse. Of the 150 Android apps put to test, CRYLOGGER was able to catch vulnerabilities that CryptoGuard missed.
While some bugs were found in the application code, other common bugs were introduced as part of Java libraries.
Upon reverse engineering 28 of the inflicted Android applications, half of them were said to be vulnerable to attacks, the team stated.