Investigating weaknesses in Android certificate security

Daniel E. Krych, Stephen Lange-Maney, Patrick McDaniel, William Glodek

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Android's application market relies on secure certificate generation to establish trust between applications and their users; yet, cryptography is often not a priority for application developers and many fail to take the necessary security precautions. Indeed, there is cause for concern: several recent high-profile studies have observed a pervasive lack of entropy on Web-systems leading to the factorization of private keys.1 Sufficient entropy, or randomness, is essential to generate secure key pairs and combat predictable key generation. In this paper, we analyze the security of Android certificates. We investigate the entropy present in 550,000 Android application certificates using the Quasilinear GCD finding algorithm.1 Our results show that while the lack of entropy does not appear to be as ubiquitous in the mobile markets as on Web-systems, there is substantial reuse of certificates only one third of the certificates in our dataset were unique. In other words, we find that organizations frequently reuse certificates for different applications. While such a practice is acceptable under Google's specifications for a single developer, we find that in some cases the same certificates are used for a myriad of developers, potentially compromising Android's intended trust relationships. Further, we observed duplicate certificates being used by both malicious and non-malicious applications. The top 3 repeated certificates present in our dataset accounted for a total of 11,438 separate APKs. Of these applications, 451, or roughly 4%, were identified as malicious by antivirus services.

Original languageEnglish (US)
Title of host publicationModeling and Simulation for Defense Systems and Applications X
EditorsEric J. Kelmelis
PublisherSPIE
ISBN (Electronic)9781628415940
DOIs
StatePublished - Jan 1 2015
EventModeling and Simulation for Defense Systems and Applications X - Baltimore, United States
Duration: Apr 21 2015 → …

Publication series

NameProceedings of SPIE - The International Society for Optical Engineering
Volume9478
ISSN (Print)0277-786X
ISSN (Electronic)1996-756X

Other

OtherModeling and Simulation for Defense Systems and Applications X
CountryUnited States
CityBaltimore
Period4/21/15 → …

Fingerprint

Certificate
photographic developers
Entropy
entropy
reuse
Reuse
cryptography
accident prevention
combat
Factorization
factorization
Cryptography
specifications
Randomness
Specifications
causes
Specification
Sufficient
profiles
Necessary

All Science Journal Classification (ASJC) codes

  • Electronic, Optical and Magnetic Materials
  • Condensed Matter Physics
  • Computer Science Applications
  • Applied Mathematics
  • Electrical and Electronic Engineering

Cite this

Krych, D. E., Lange-Maney, S., McDaniel, P., & Glodek, W. (2015). Investigating weaknesses in Android certificate security. In E. J. Kelmelis (Ed.), Modeling and Simulation for Defense Systems and Applications X [947804] (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 9478). SPIE. https://doi.org/10.1117/12.2177498
Krych, Daniel E. ; Lange-Maney, Stephen ; McDaniel, Patrick ; Glodek, William. / Investigating weaknesses in Android certificate security. Modeling and Simulation for Defense Systems and Applications X. editor / Eric J. Kelmelis. SPIE, 2015. (Proceedings of SPIE - The International Society for Optical Engineering).
@inproceedings{32f7d9141e8d42be8ed428c91c64b8d7,
title = "Investigating weaknesses in Android certificate security",
abstract = "Android's application market relies on secure certificate generation to establish trust between applications and their users; yet, cryptography is often not a priority for application developers and many fail to take the necessary security precautions. Indeed, there is cause for concern: several recent high-profile studies have observed a pervasive lack of entropy on Web-systems leading to the factorization of private keys.1 Sufficient entropy, or randomness, is essential to generate secure key pairs and combat predictable key generation. In this paper, we analyze the security of Android certificates. We investigate the entropy present in 550,000 Android application certificates using the Quasilinear GCD finding algorithm.1 Our results show that while the lack of entropy does not appear to be as ubiquitous in the mobile markets as on Web-systems, there is substantial reuse of certificates only one third of the certificates in our dataset were unique. In other words, we find that organizations frequently reuse certificates for different applications. While such a practice is acceptable under Google's specifications for a single developer, we find that in some cases the same certificates are used for a myriad of developers, potentially compromising Android's intended trust relationships. Further, we observed duplicate certificates being used by both malicious and non-malicious applications. The top 3 repeated certificates present in our dataset accounted for a total of 11,438 separate APKs. Of these applications, 451, or roughly 4{\%}, were identified as malicious by antivirus services.",
author = "Krych, {Daniel E.} and Stephen Lange-Maney and Patrick McDaniel and William Glodek",
year = "2015",
month = "1",
day = "1",
doi = "10.1117/12.2177498",
language = "English (US)",
series = "Proceedings of SPIE - The International Society for Optical Engineering",
publisher = "SPIE",
editor = "Kelmelis, {Eric J.}",
booktitle = "Modeling and Simulation for Defense Systems and Applications X",
address = "United States",

}

Krych, DE, Lange-Maney, S, McDaniel, P & Glodek, W 2015, Investigating weaknesses in Android certificate security. in EJ Kelmelis (ed.), Modeling and Simulation for Defense Systems and Applications X., 947804, Proceedings of SPIE - The International Society for Optical Engineering, vol. 9478, SPIE, Modeling and Simulation for Defense Systems and Applications X, Baltimore, United States, 4/21/15. https://doi.org/10.1117/12.2177498

Investigating weaknesses in Android certificate security. / Krych, Daniel E.; Lange-Maney, Stephen; McDaniel, Patrick; Glodek, William.

Modeling and Simulation for Defense Systems and Applications X. ed. / Eric J. Kelmelis. SPIE, 2015. 947804 (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 9478).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Investigating weaknesses in Android certificate security

AU - Krych, Daniel E.

AU - Lange-Maney, Stephen

AU - McDaniel, Patrick

AU - Glodek, William

PY - 2015/1/1

Y1 - 2015/1/1

N2 - Android's application market relies on secure certificate generation to establish trust between applications and their users; yet, cryptography is often not a priority for application developers and many fail to take the necessary security precautions. Indeed, there is cause for concern: several recent high-profile studies have observed a pervasive lack of entropy on Web-systems leading to the factorization of private keys.1 Sufficient entropy, or randomness, is essential to generate secure key pairs and combat predictable key generation. In this paper, we analyze the security of Android certificates. We investigate the entropy present in 550,000 Android application certificates using the Quasilinear GCD finding algorithm.1 Our results show that while the lack of entropy does not appear to be as ubiquitous in the mobile markets as on Web-systems, there is substantial reuse of certificates only one third of the certificates in our dataset were unique. In other words, we find that organizations frequently reuse certificates for different applications. While such a practice is acceptable under Google's specifications for a single developer, we find that in some cases the same certificates are used for a myriad of developers, potentially compromising Android's intended trust relationships. Further, we observed duplicate certificates being used by both malicious and non-malicious applications. The top 3 repeated certificates present in our dataset accounted for a total of 11,438 separate APKs. Of these applications, 451, or roughly 4%, were identified as malicious by antivirus services.

AB - Android's application market relies on secure certificate generation to establish trust between applications and their users; yet, cryptography is often not a priority for application developers and many fail to take the necessary security precautions. Indeed, there is cause for concern: several recent high-profile studies have observed a pervasive lack of entropy on Web-systems leading to the factorization of private keys.1 Sufficient entropy, or randomness, is essential to generate secure key pairs and combat predictable key generation. In this paper, we analyze the security of Android certificates. We investigate the entropy present in 550,000 Android application certificates using the Quasilinear GCD finding algorithm.1 Our results show that while the lack of entropy does not appear to be as ubiquitous in the mobile markets as on Web-systems, there is substantial reuse of certificates only one third of the certificates in our dataset were unique. In other words, we find that organizations frequently reuse certificates for different applications. While such a practice is acceptable under Google's specifications for a single developer, we find that in some cases the same certificates are used for a myriad of developers, potentially compromising Android's intended trust relationships. Further, we observed duplicate certificates being used by both malicious and non-malicious applications. The top 3 repeated certificates present in our dataset accounted for a total of 11,438 separate APKs. Of these applications, 451, or roughly 4%, were identified as malicious by antivirus services.

UR - http://www.scopus.com/inward/record.url?scp=84943527915&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84943527915&partnerID=8YFLogxK

U2 - 10.1117/12.2177498

DO - 10.1117/12.2177498

M3 - Conference contribution

AN - SCOPUS:84943527915

T3 - Proceedings of SPIE - The International Society for Optical Engineering

BT - Modeling and Simulation for Defense Systems and Applications X

A2 - Kelmelis, Eric J.

PB - SPIE

ER -

Krych DE, Lange-Maney S, McDaniel P, Glodek W. Investigating weaknesses in Android certificate security. In Kelmelis EJ, editor, Modeling and Simulation for Defense Systems and Applications X. SPIE. 2015. 947804. (Proceedings of SPIE - The International Society for Optical Engineering). https://doi.org/10.1117/12.2177498