A Tangled Mass: The Android Root Certificate Stores
Title | A Tangled Mass: The Android Root Certificate Stores |
Publication Type | Conference Paper |
Year of Publication | 2014 |
Authors | Vallina-Rodriguez, N., Amann J., Kreibich C., Weaver N., & Paxson V. |
Other Numbers | 3736 |
Abstract | The security of todays Web rests in part on the set of X.509 certificate authorities trusted by each users browser. Users generallydo not themselves configure their browsersroot storebut insteadrely upon decisions made by the suppliers of either the browsersor the devices upon which they run. In this work we explore thenature and implications of these trust decisions for Android users.Drawing upon datasets collected by Netalyzr for Android and ICSIsCertificate Notary, we characterize the certificate root store population present in mobile devices in the wild. Motivated by concernsthat bloated root stores increase the attack surface of mobile users,we report on the interplay of certificate sets deployed by the devicemanufacturers, mobile operators, and the Android OS. We identifycertificates installed exclusively by apps on rooted devices, thusbreaking the audited and supervised root store model, and also discover use of TLS interception via HTTPS proxies employed by amarket research company. |
Acknowledgment | We are deeply grateful to Netalyzrs many users for making this studypossible, and also for their helpful feedback. We would like to thankthe anonymous reviewers for their valuable comments.This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 1213157 (User-Centric Network Measurement), CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"), and CNS : 0831535 ("Comprehensive Application Analysis and Control"), and by the DHS Directorate of Science and Technology through grant N66001- 12-C-0128. We also wish to thank Amazon, Comcast, and Google for their generous support. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. |
URL | https://www.icsi.berkeley.edu/pubs/networking/tangledmass14.pdf |
Bibliographic Notes | Proceedings of the 10th International Conference on emerging Networking EXperiments and Technologies (CoNEXT), Sydney, Australia |
Abbreviated Authors | N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in conference proceedings |