🤖 AI Summary
This study addresses the critical threat posed by the frequent leakage of Android application signing keys due to poor developer key management, which severely compromises software supply chain security. Conducting the first systematic longitudinal ecosystem analysis, the authors combine large-scale code repository mining, cryptographic key recovery, certificate matching, and proof-of-concept repackaging attacks to identify 5,673 GitHub repositories containing leaked signing keys, linked to 278 real-world applications affecting over 10 billion users. By further correlating these findings with more than 4,000 applications from major app stores and OEM system images, the research demonstrates the widespread prevalence and exploitability of mismanaged keys across diverse platforms—including smartphones and in-vehicle systems—and empirically validates tangible security risks on 1,100 vehicle models.
📝 Abstract
Android app signing relies on developer-managed credentials, making secure key protection essential for the integrity of the software supply chain. A recent platform key leakage incident involving two major OEM manufacturers demonstrates that even robustly designed signing mechanisms can be compromised due to developers' oversight. In this work, we conduct a longitudinal ecosystem study to characterize this threat by mining public repositories for Android signing credentials, recovering compromised keys via exposed passwords, and matching them against signatures from over 4,000 apps collected from major stores and OEM system images. Our analysis identifies 5,673 compromised keystores on GitHub and 26 unique certificates linked to 278 real-world apps. These include 26 third-party apps in public app stores and 252 preinstalled apps from seven manufacturers, collectively affecting over 10 billion users. We demonstrate the practical exploitability of these leaks through a proof-of-concept app replacement attack and identify spillover risks in non-smartphone platforms, including a popular automotive head-unit platform installed in over 1,100 vehicle models. Our results reveal that signing-key mismanagement is a systemic risk, underscoring the need for a more rigorous key-management support in Android release engineering and distribution infrastructures.