Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps

Kanae Yoshida, Hironori Imai, Nana Serizawa, Tatsuya Mori, Akira Kanaoka

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.

    Original languageEnglish
    Title of host publicationProceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018
    EditorsClaudio Demartini, Sorel Reisman, Ling Liu, Edmundo Tovar, Hiroki Takakura, Ji-Jiang Yang, Chung-Horng Lung, Sheikh Iqbal Ahamed, Kamrul Hasan, Thomas Conte, Motonori Nakamura, Zhiyong Zhang, Toyokazu Akiyama, William Claycomb, Stelvio Cimato
    PublisherIEEE Computer Society
    Pages713-718
    Number of pages6
    Volume2
    ISBN (Electronic)9781538626665
    DOIs
    Publication statusPublished - 2018 Jun 8
    Event42nd IEEE Computer Software and Applications Conference, COMPSAC 2018 - Tokyo, Japan
    Duration: 2018 Jul 232018 Jul 27

    Other

    Other42nd IEEE Computer Software and Applications Conference, COMPSAC 2018
    CountryJapan
    CityTokyo
    Period18/7/2318/7/27

    Fingerprint

    Application programs
    Android (operating system)
    Electronic document identification systems
    Ecosystems

    Keywords

    • Android
    • Code Signing
    • Cryptographic Algorithms
    • Digital Signature

    ASJC Scopus subject areas

    • Software
    • Computer Science Applications

    Cite this

    Yoshida, K., Imai, H., Serizawa, N., Mori, T., & Kanaoka, A. (2018). Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps. In C. Demartini, S. Reisman, L. Liu, E. Tovar, H. Takakura, J-J. Yang, C-H. Lung, S. I. Ahamed, K. Hasan, T. Conte, M. Nakamura, Z. Zhang, T. Akiyama, W. Claycomb, ... S. Cimato (Eds.), Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018 (Vol. 2, pp. 713-718). [8377952] IEEE Computer Society. https://doi.org/10.1109/COMPSAC.2018.10324

    Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps. / Yoshida, Kanae; Imai, Hironori; Serizawa, Nana; Mori, Tatsuya; Kanaoka, Akira.

    Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018. ed. / Claudio Demartini; Sorel Reisman; Ling Liu; Edmundo Tovar; Hiroki Takakura; Ji-Jiang Yang; Chung-Horng Lung; Sheikh Iqbal Ahamed; Kamrul Hasan; Thomas Conte; Motonori Nakamura; Zhiyong Zhang; Toyokazu Akiyama; William Claycomb; Stelvio Cimato. Vol. 2 IEEE Computer Society, 2018. p. 713-718 8377952.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Yoshida, K, Imai, H, Serizawa, N, Mori, T & Kanaoka, A 2018, Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps. in C Demartini, S Reisman, L Liu, E Tovar, H Takakura, J-J Yang, C-H Lung, SI Ahamed, K Hasan, T Conte, M Nakamura, Z Zhang, T Akiyama, W Claycomb & S Cimato (eds), Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018. vol. 2, 8377952, IEEE Computer Society, pp. 713-718, 42nd IEEE Computer Software and Applications Conference, COMPSAC 2018, Tokyo, Japan, 18/7/23. https://doi.org/10.1109/COMPSAC.2018.10324
    Yoshida K, Imai H, Serizawa N, Mori T, Kanaoka A. Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps. In Demartini C, Reisman S, Liu L, Tovar E, Takakura H, Yang J-J, Lung C-H, Ahamed SI, Hasan K, Conte T, Nakamura M, Zhang Z, Akiyama T, Claycomb W, Cimato S, editors, Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018. Vol. 2. IEEE Computer Society. 2018. p. 713-718. 8377952 https://doi.org/10.1109/COMPSAC.2018.10324
    Yoshida, Kanae ; Imai, Hironori ; Serizawa, Nana ; Mori, Tatsuya ; Kanaoka, Akira. / Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps. Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018. editor / Claudio Demartini ; Sorel Reisman ; Ling Liu ; Edmundo Tovar ; Hiroki Takakura ; Ji-Jiang Yang ; Chung-Horng Lung ; Sheikh Iqbal Ahamed ; Kamrul Hasan ; Thomas Conte ; Motonori Nakamura ; Zhiyong Zhang ; Toyokazu Akiyama ; William Claycomb ; Stelvio Cimato. Vol. 2 IEEE Computer Society, 2018. pp. 713-718
    @inproceedings{919438b2e83846c2bf8214752c8b4da7,
    title = "Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps",
    abstract = "Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.",
    keywords = "Android, Code Signing, Cryptographic Algorithms, Digital Signature",
    author = "Kanae Yoshida and Hironori Imai and Nana Serizawa and Tatsuya Mori and Akira Kanaoka",
    year = "2018",
    month = "6",
    day = "8",
    doi = "10.1109/COMPSAC.2018.10324",
    language = "English",
    volume = "2",
    pages = "713--718",
    editor = "Claudio Demartini and Sorel Reisman and Ling Liu and Edmundo Tovar and Hiroki Takakura and Ji-Jiang Yang and Chung-Horng Lung and Ahamed, {Sheikh Iqbal} and Kamrul Hasan and Thomas Conte and Motonori Nakamura and Zhiyong Zhang and Toyokazu Akiyama and William Claycomb and Stelvio Cimato",
    booktitle = "Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018",
    publisher = "IEEE Computer Society",

    }

    TY - GEN

    T1 - Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps

    AU - Yoshida, Kanae

    AU - Imai, Hironori

    AU - Serizawa, Nana

    AU - Mori, Tatsuya

    AU - Kanaoka, Akira

    PY - 2018/6/8

    Y1 - 2018/6/8

    N2 - Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.

    AB - Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.

    KW - Android

    KW - Code Signing

    KW - Cryptographic Algorithms

    KW - Digital Signature

    UR - http://www.scopus.com/inward/record.url?scp=85055482404&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85055482404&partnerID=8YFLogxK

    U2 - 10.1109/COMPSAC.2018.10324

    DO - 10.1109/COMPSAC.2018.10324

    M3 - Conference contribution

    AN - SCOPUS:85055482404

    VL - 2

    SP - 713

    EP - 718

    BT - Proceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018

    A2 - Demartini, Claudio

    A2 - Reisman, Sorel

    A2 - Liu, Ling

    A2 - Tovar, Edmundo

    A2 - Takakura, Hiroki

    A2 - Yang, Ji-Jiang

    A2 - Lung, Chung-Horng

    A2 - Ahamed, Sheikh Iqbal

    A2 - Hasan, Kamrul

    A2 - Conte, Thomas

    A2 - Nakamura, Motonori

    A2 - Zhang, Zhiyong

    A2 - Akiyama, Toyokazu

    A2 - Claycomb, William

    A2 - Cimato, Stelvio

    PB - IEEE Computer Society

    ER -