Understanding the origins of weak cryptographic algorithms used for signing android apps

Kanae Yoshida, Hironori Imai, Nana Serizawa, Tatsuya Mori, Akira Kanaoka

Research output: Contribution to journalArticlepeer-review

Abstract

Android applications are digitally signed using developers’ signing keys. Since each key is associated with a developer, it can be used to establish trust between applications published by the author, i.e., apps signed with the same key are allowed to update themselves if package names are identical, or access each other’s resources. However, if a signature is generated using a weak algorithm such as MD5, then apps signed with the corresponding key are exposed to several risks, such as hijacking apps with fake updates or granting permissions to a malicious app. In this work, we analyze several Android apps to identify the threats caused by using weak algorithms. Our study uncovered the following findings: Of the more than one million apps collected from Google Play, 223 and 52,866 were digitally signed using the weak algorithms of 512-bit RSA key and MD5, respectively. We identified the causal mechanisms for generating certificates that employ weak algorithms, and found that these mechanisms can be attributed to app-building frameworks and online app-building services. On the basis of these findings, we provide guidelines for stakeholders of the Android app distribution ecosystem.

Original languageEnglish
Pages (from-to)593-602
Number of pages10
JournalJournal of information processing
Volume27
DOIs
Publication statusPublished - 2019

Keywords

  • Android
  • Cryptographic algorithms
  • Digital signature
  • Security

ASJC Scopus subject areas

  • Computer Science(all)

Fingerprint Dive into the research topics of 'Understanding the origins of weak cryptographic algorithms used for signing android apps'. Together they form a unique fingerprint.

Cite this