Papers
Topics
Authors
Recent
Search
2000 character limit reached

A Longitudinal Study of Android Apps Signing Key Protection

Published 19 Jun 2026 in cs.CR and cs.SE | (2606.21487v1)

Abstract: Android app signing relies on developer-managed credentials, making secure key protection essential for the integrity of the software supply chain. A recent platform key leakage incident involving two major OEM manufacturers demonstrates that even robustly designed signing mechanisms can be compromised due to developers' oversight. In this work, we conduct a longitudinal ecosystem study to characterize this threat by mining public repositories for Android signing credentials, recovering compromised keys via exposed passwords, and matching them against signatures from over 4,000 apps collected from major stores and OEM system images. Our analysis identifies 5,673 compromised keystores on GitHub and 26 unique certificates linked to 278 real-world apps. These include 26 third-party apps in public app stores and 252 preinstalled apps from seven manufacturers, collectively affecting over 10 billion users. We demonstrate the practical exploitability of these leaks through a proof-of-concept app replacement attack and identify spillover risks in non-smartphone platforms, including a popular automotive head-unit platform installed in over 1,100 vehicle models. Our results reveal that signing-key mismanagement is a systemic risk, underscoring the need for a more rigorous key-management support in Android release engineering and distribution infrastructures.

Summary

  • The paper presents the first comprehensive longitudinal analysis of Android app signing key management, uncovering widespread operational failures leading to key exposure.
  • It employs a multi-stage methodology combining repository mining, password recovery, and signature matching to link leaked keys with vulnerable apps across consumer and automotive platforms.
  • Findings demonstrate that trivial password reuse and poor key custody practices enable severe exploit risks, including malicious updates and privilege escalation.

Longitudinal Analysis of Android App Signing Key Compromises

Introduction and Motivation

The paper "A Longitudinal Study of Android Apps Signing Key Protection" (2606.21487) systematically investigates operational failures in Android app signing key management, focusing on their prevalence, exploitability, and ecosystem impact. While cryptographic primitives in the Android signing architecture are robust, breakdowns occur at the developer and OEM operational layers. Android app signing keys, embedded in keystore files with passwords typically referenced in build configuration artifacts, must be kept secret for decades due to signature continuity requirements. Key exposures enable adversaries to re-sign arbitrary app packages, facilitating persistent privilege escalation, malware distribution under legitimate brands, and subversion of critical trust relationships—including in highly privileged OEM/system applications.

Android App Signing and Threat Model

Android enforces a signature-based trust model, where signature continuity authorizes app updates and mediates privileged permission delegation and inter-app collaboration. Figure 1

Figure 1: The role of app signing in the life cycle of an Android app.

Developers generate asymmetric key pairs, storing private keys in Java keystores protected by passwords. These credentials are referenced in build configuration files (e.g., build.gradle). If either the keystore or its password is recorded insecurely, and these artifacts leak into public version control, the signing identity is irreversibly compromised. The threat model does not center on cryptographic flaws but on operational leaks in real-world developer practices.

Methodology: Ecosystem-scale Key and Signature Correlation

The study implements a longitudinal, three-stage empirical pipeline:

  • Repository Mining: Large-scale, incremental crawling of GitHub for Android projects containing .jks/.keystore files, with associated configuration files and password candidates.
  • Password Recovery and Validation: Automated extraction of plaintext keystore and key passwords from build artifacts; programmatic decryption and inventory of all recoverable private keys.
  • Signature Matching: Extraction of developer certificate fingerprints from both store-distributed APKs (acquired via APKPure, Wandoujia, and OEM vendor stores) and pre-installed firmware images from 11 different manufacturers representing 87%+ market share.
  • Exploitability Validation: Proof-of-concept attacks, including signature-forged update installation and privileged code injection, to demonstrate practical risk. Figure 2

    Figure 2: Overview of our methodology, including repository-side compromise identification, ecosystem-side signature matching, and exploit deployment.

Key Findings

Prevalence and Nature of Key Leaks

The collection identifies 5,673 unique, valid Android signing keystores on public GitHub repositories, representing hundreds of individual developer or vendor identities. Among these, 26 unique certificates are found to be practically compromised due to co-leakage of passwords, making key material immediately extractable. Analysis of leaked passwords indicates significant reuse and extreme weakness—passwords such as "android", "password", and "123456" dominate. Figure 3

Figure 3

Figure 3: Word cloud representation showing the most common keystore passwords exposed in public repositories.

Figure 4

Figure 4

Figure 4: Word cloud representation of the most frequent signing key passwords found exposed.

Impact on Real-World Applications

Signature-matching reveals that these compromised credentials have been used to sign 278 real-world apps: 26 are third-party applications with billions of aggregated downloads, while 252 are OEM/system or pre-installed apps from 7 manufacturers. Critically, some compromised keys are used across both public app store releases and in firmware images for privileged system components.

Degree and Scope of Exploitable Risk

The impact is notably severe for OEM-preinstalled apps, especially those installed as "system" or "privileged" apps on devices by major manufacturers. Such apps are exempt from many runtime permission checks and can abuse device-wide privileges. Leakage of AOSP testing keys and their reuse as production signing credentials by device vendors further escalates the risk, as these key pairs are public and trivial for attackers to obtain.

Exploit Techniques

The paper details two robust exploitation primitives:

  • Permission Conflict/Device DoS: Repackaging a privileged system app with altered manifest permissions using a leaked key triggers an unrecoverable system boot loop due to permission allowlisting mismatches. Figure 5

Figure 5

Figure 5: The process of (a) creating permission conflict and (b) injecting malicious DEX.

Figure 6

Figure 6: The process of creating permission conflict in system apps via privilege escalation.

  • Malware Injection: Insertion of malicious DEX payloads (keylogger/storage exfiltration) into privileged apps, re-signed with leaked credentials, enables persistence and stealthy deployment on user devices. The exploit leverages Android’s dynamic class loading, making malicious updates indistinguishable from legitimate developer releases. Figure 7

    Figure 7: The process of injecting malicious DEX into victim apps, with illustrative proof-of-concept exploit.

An explicit proof-of-concept is demonstrated: a malicious variant of the Baidu input method (preinstalled and store-distributed) logs user keystrokes and exfiltrates sensitive data, with the only deployment requirement being the compromised signing key.

Spillover Into Non-Smartphone Platforms

The analysis detects key leaks affecting Baidu CarLife+, an automotive head-unit platform deployed in over 1,100 vehicle models, via compromise of keystore files in GitHub repositories. The attacker can deliver forged head unit apps (or colluding mobile apps) that could escalate to in-vehicle denial of service, user tracking, and more severe hazards in the automotive threat landscape. Figure 8

Figure 8: An illustrated attack to hijack the automotive head unit in the vehicle through the victim's smartphone after the private key being compromised.

Theoretical and Practical Implications

The results make several bold claims:

  • Developer/OEM-side signing key mismanagement is systemic, not exceptional, with empirical evidence of supply chain risk spanning both mainstream and alternative app markets.
  • Remediation is exceptionally difficult: the 25-year key lifetime stipulated by Android platform requirements renders credential revocation or rotation infeasible for apps with established user bases or preinstalled system images.
  • "By-design" exposure of AOSP test keys as production credentials by multiple OEMs undermines the foundational security model for privileged code on user devices, with no short-term technical mitigation.
  • The Android ecosystem's openness, alternative market prevalence, and third-party vendor supply chains (including vehicle and IoT platforms) vastly amplify potential impact relative to more centrally managed mobile OSs.

In practice, attackers do not require advanced technical capabilities—accessing public repositories and trivial password extraction suffices for weaponization.

Recommendations and Future Directions

The study underscores the necessity for radical improvement in app signing key custody:

  • Adoption of Hardware-Backed or Managed Key Signing (e.g., Google Play App Signing): By shifting key storage and signing off developer endpoints, operational leak vectors can be closed.
  • Elimination of Passwords in Repository-Accessible Artifacts: Keys and passwords must never co-reside in version control.
  • OEM Prohibitions on AOSP Testing Key Usage: Production firmware and privileged apps must be uniquely signed with per-vendor secrets, never with canonical AOSP developer keys.

Potential directions for the software supply chain include stronger ecosystem attestation, enforcement of limited credential lifetime, and industry-wide scan-and-notify efforts for repository-exposed credentials.

Conclusion

This paper provides the most comprehensive, longitudinal measurement of Android app signing credential exposure to date. It reveals that developer and OEM operational lapses are widespread and that the implications extend well beyond conventional apps to system-critical and cross-vertical deployments, including the automotive sector. The exploitability demonstrated emphasizes the urgent need for defensive innovation in credential management—in both tooling and ecosystem governance—lest Android’s signature-based trust model become a liability at supply chain scale.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.