Certificate Reuse in Android Applications

The widespread adoption of Android apps has led to increasing concerns about the concept of '' recycled trust '' derived from the reuse of digital certificates. Android app developers frequently depend on digital certificates to sign their applications, and users place their trust in an app when they recognize the owner provided by the same certificate. Although the presence of cryptographic misuse has been acknowledged by several studies, its extent and characteristics are not well understood. In this work, we perform a large-scale analysis of certificate reuse across the Android ecosystem and malware binaries on a collection of over 19 million certificates and over 9 million keys extracted from PE files and Android applications collected over several years. Our results reveal that despite the growing nature of the Android ecosystem, the misuse of cryptographic elements is common and persistent. Our findings uncover several issues and enable us to provide a series of applicable solutions to the seen security flaws.