TY - GEN
T1 - Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps
AU - Yoshida, Kanae
AU - Imai, Hironori
AU - Serizawa, Nana
AU - Mori, Tatsuya
AU - Kanaoka, Akira
N1 - Funding Information:
A part of this work was supported by JSPS Grant-in-Aid for Scientific Research B, Grant Number JP16H02813 and JP16H02832 .
Publisher Copyright:
© 2018 IEEE.
PY - 2018/6/8
Y1 - 2018/6/8
N2 - Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.
AB - Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.
KW - Android
KW - Code Signing
KW - Cryptographic Algorithms
KW - Digital Signature
UR - http://www.scopus.com/inward/record.url?scp=85055482404&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85055482404&partnerID=8YFLogxK
U2 - 10.1109/COMPSAC.2018.10324
DO - 10.1109/COMPSAC.2018.10324
M3 - Conference contribution
AN - SCOPUS:85055482404
T3 - Proceedings - International Computer Software and Applications Conference
SP - 713
EP - 718
BT - Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018
A2 - Demartini, Claudio
A2 - Reisman, Sorel
A2 - Liu, Ling
A2 - Tovar, Edmundo
A2 - Takakura, Hiroki
A2 - Yang, Ji-Jiang
A2 - Lung, Chung-Horng
A2 - Ahamed, Sheikh Iqbal
A2 - Hasan, Kamrul
A2 - Conte, Thomas
A2 - Nakamura, Motonori
A2 - Zhang, Zhiyong
A2 - Akiyama, Toyokazu
A2 - Claycomb, William
A2 - Cimato, Stelvio
PB - IEEE Computer Society
T2 - 42nd IEEE Computer Software and Applications Conference, COMPSAC 2018
Y2 - 23 July 2018 through 27 July 2018
ER -