Dazed and Confused: What’s Wrong with Crypto Libraries? — Related Work

15 Jun 2024


(1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland;

(2) Oscar Nierstrasz, University of Bern, Bern, Switzerland;

(3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand.

Kafader and Ghafari developed FluentCrypto with the goal of creating usable and secure crypto APIs for developers [13]. FluentCrypto hides the low-level complexities that involve using a native API and provides a task-based solution that novices can use without crypto knowledge. It also allows crypto experts to configure the API as they find fit and uses a set of pre-defined rules to determine the configuration is secure. Green et al. proposed ten principles to aid library developers in reducing the possibility of API misuses [3]. For instance, one of the principles is to make defaults safe and unambiguous in APIs. This principle can significantly lessen the hardship of developers as we have witnessed their confusion about default values in library interoperability and encryption/decryption themes. Reviewing 2491 Stack Overflow questions in relation to seven crypto libraries, Patnaik et al. identified 16 underlying usability issues in crypto libraries [6]. There is a common theme between their work and this study, which is the demand for example code snippets. However, their objective was to investigate the usability of crypto APIs, whereas we grouped the problems into themes based on the technical perspective. Developers refer to Stack Overflow as popular documentation. Parnin et al. studied three popular non-crypto APIs (Android, GWT, Java) to observe the quality and dynamics of the Stack Overflow documentation for these APIs [14]. They found that the crowd generated a rich source of content containing code examples, which are viewed by a majority of developers. For instance, more than 35 000 developers contributed to Android API discussions, which covers 87% of the classes and has been viewed over 80 million times. However, with the massive number of discussions, there is a small pool of experts available to answer the questions. Hou et al. conducted a manual analysis on a set of newsgroup discussions to understand developer problems in using APIs [15]. They described 15 obstacles, e.g., unclear API semantics by design or wrong parameter values, which hinder developers, and alleviating such obstacles increases the accessibility of APIs. Hazhirpasand et al. conducted a large-scale study on crypto-related posts on Stack Overflow by using Latent Dirichlet Allocation (LDA), which is a generative statistical model, to cluster 91 954 questions [4]. They found three high-level themes in developers’ questions, namely digital certificate, programming issues, and password/hashing. In contrast, we reported more elaborated themes of issues specifically related to crypto libraries and excluded configurational problems and general-purpose crypto questions. A recent study analyzed 489 Java projects in which the majority of APIs (i.e., 13 of 15) were misused at least once [16]. In addition, contacting the developers showed that security warnings in the documentation of crypto APIs are rare. Consequently, based on a recent survey, developers incline to resolve their crypto issues on Stack Overflow, where the authenticity of the provided answers is debatable [17].

This paper is available on arxiv under CC BY 4.0 DEED license.