Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps

Kanae Yoshida, Hironori Imai, Nana Serizawa, Tatsuya Mori, Akira Kanaoka

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Android applications are digitally signed using developers' signing keys. As each key is associated with a developer, it can be used to establish trust between applications published by the author (that is, apps signed with the same key are allowed to update themselves if package names are identical, or access each other's resources). However, if a digital signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks (such as hijacking apps with fake updates or granting permissions to a malicious app). In this work, we analyze several Android apps to identify the threats caused using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms of generating certificates that employ weak algorithms, and that they can be attributed to app-building frameworks and online app-building services. Based on these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.

Original languageEnglish
Title of host publicationProceedings - 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018
EditorsClaudio Demartini, Sorel Reisman, Ling Liu, Edmundo Tovar, Hiroki Takakura, Ji-Jiang Yang, Chung-Horng Lung, Sheikh Iqbal Ahamed, Kamrul Hasan, Thomas Conte, Motonori Nakamura, Zhiyong Zhang, Toyokazu Akiyama, William Claycomb, Stelvio Cimato
PublisherIEEE Computer Society
Pages713-718
Number of pages6
ISBN (Electronic)9781538626665
DOIs
Publication statusPublished - 2018 Jun 8
Event42nd IEEE Computer Software and Applications Conference, COMPSAC 2018 - Tokyo, Japan
Duration: 2018 Jul 232018 Jul 27

Publication series

NameProceedings - International Computer Software and Applications Conference
Volume2
ISSN (Print)0730-3157

Other

Other42nd IEEE Computer Software and Applications Conference, COMPSAC 2018
Country/TerritoryJapan
CityTokyo
Period18/7/2318/7/27

Keywords

  • Android
  • Code Signing
  • Cryptographic Algorithms
  • Digital Signature

ASJC Scopus subject areas

  • Software
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android Apps'. Together they form a unique fingerprint.

Cite this