๐ค AI Summary
This work addresses the widespread misuse of cryptography in embodied AI mobile applications, which poses a critical security threat to cyber-physical systems. The authors construct EAIAppZoo, a benchmark dataset comprising 507 real-world applications, and propose a semantic-aware automated analysis approach to systematically uncover structural security trade-offs in the control layer driven by engineering constraintsโsuch as latency sensitivity, offline device pairing, and legacy IoT SDKs. Through large-scale static analysis and reverse engineering, they identify five prevalent misuse patterns, detect 12,975 high-confidence vulnerability instances (with 80.74% precision), and empirically demonstrate that adversaries can exploit these flaws to bypass security mechanisms and hijack physical control channels.
๐ Abstract
Embodied AI (EAI) mobile applications are evolving from auxiliary user interfaces into active control-path components, directly linking mobile-side cryptographic security to cyber-physical trust. Despite this shift, existing security research predominantly focuses on embodied AI devices and cloud infrastructures, leaving the mobile control layer largely unexplored as a critical attack surface. To bridge this gap, we present the first large-scale measurement study of cryptographic misuse within the EAI mobile ecosystem. We construct EAIAppZoo, a benchmark of 507 real-world applications across six EAI domains, and employ an automated semantic-aware analysis pipeline to measure the prevalence and characteristics of five major cryptographic failure modes. Our measurement yields 12,975 misuse findings (with an evaluated precision of 80.74\%), revealing that these cryptographic failures are driven by EAI-specific engineering constraints rather than random developer errors. We uncover structural security trade-offs: latency-sensitive control paths systematically weaken transport protection, while the heavy reliance on offline device provisioning and legacy IoT SDKs exacerbates the local hardcoding of authentication credentials. Through real-world case studies, we demonstrate how these mobile-side cryptographic flaws bypass nominal network protections, enabling adversaries to intercept command channels and hijack the physical control of EAI entities. Ultimately, our findings highlight that mobile applications have become a fragile, yet overlooked, cryptographic trust boundary in cyber-physical systems.