Dazed and Confused: What’s Wrong with Crypto Libraries? — Abstract and Introduction

15 Jun 2024


(1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland;

(2) Oscar Nierstrasz, University of Bern, Bern, Switzerland;

(3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand.

Abstract—Recent studies have shown that developers have difficulties in using cryptographic APIs, which often led to security flaws. We are interested to tackle this matter by looking into what types of problems exist in various crypto libraries. We manually studied 500 posts on Stack Overflow associated with 20 popular crypto libraries. We realized there are 10 themes in the discussions. Interestingly, there were only two questions related to attacks against cryptography. There were 63 discussions in which developers had interoperability issues when working with more than a crypto library. The majority of posts (112) were about encryption/decryption problems and 111 were about installation/compilation issues of crypto libraries. Overall, we realize that the crypto libraries are frequently involved in more than five themes of discussions. We believe the current initial findings can help team leaders and experienced developers to correctly guide the team members in the domain of cryptography. Moreover, future research should investigate the similarity of problems at the API level among popular crypto libraries.


The literature review shows that often developers do not securely use cryptographic (crypto) APIs. Hazhirpasand et al. analyzed 2 324 Java open-source projects in which Java Cryptography Architecture APIs were used. The authors found that more than 72% of the projects suffer from at least one cryptographic misuse [1]. Furthermore, they realized using such APIs over a period of time is not an indicative factor to developer performance. Rahaman et al. introduced CryptoGuard to detect cryptographic misuses and identified various types of misuses, e.g., broken hash, and insecure symmetric and asymmetric algorithms, in 6 181 popular Android applications [2].

Several studies have identified various areas of cryptography that are problematic, and where usability improvement could be advantageous. Green et al. proposed a guideline including ten principles for creating usable and secure crypto APIs [3]. Researchers deduced from 91 954 crypto questions on Stack Overflow that developers mainly have issues in three areas, i.e., digital certificates, programming issues, and passwords/hashes, resulting from a distinct lack of knowledge of fundamental concepts and the complexity of crypto libraries [4]. Lazar et al. studied 269 common vulnerabilities and exposures (CVEs) reports, and devised four main groups of crypto vulnerabilities, i.e., plaintext disclosure, man-in-the-middle attacks, bruteforce attacks, and side-channel attacks [5]. Nevertheless, the previous work studied the usabilities of crypto APIs and did not study the technical aspect of such APIs.

To advance previous work, we are interested in shedding light on the following research question: what technical difficulties are prevalent among crypto libraries? We conducted a manual thematic analysis of 500 posts on Stack Overflow associated with 20 crypto libraries. According to the question and answer body in the discussions, we extracted 10 themes. Most developers (i.e., 112 posts) asked how to encrypt/decrypt a piece of text or a file. The concern of security attacks against cryptography was observed only in two posts. We observe (i.e., 111 posts) that installation, compilation, and working with different versions of a crypto library form a barrier for developers to start with cryptography. In summary, our findings indicate that there are more than five themes of problems that involve the majority of the analyzed libraries and can provide assistance for professionals to prepare their team members by addressing problematic areas of crypto libraries beforehand. In future work, we plan to explore how similar APIs in popular crypto libraries are misunderstood and whether APIs whose complexity is higher than others create more problems or not.

The remainder of this paper is structured as follows. In section II, we explain the methodology of this study. We discuss our findings in section III and point out potential threats to the validity of this work in section IV. We discuss related work in section V, and we conclude this paper in section VI.

This paper is available on arxiv under CC BY 4.0 DEED license.