The widespread adoption of Transport Layer Security (TLS) relies on rigorous certificate verification, but our large-scale analysis reveals shocking security issues in the root certificates themselves and their configuration that undermine TLS authentication guarantees. This paper uncovers security issues at two distinct levels: (1) The default root certificate list on platforms ranging from Android 7 to 14 and HarmonyOS 3.0 to 5.0 contains non-compliant root certificates, such as those associated with critical CVE vulnerability, certificates expired for over four years, and those using weak cryptography algorithm. Overall, HarmonyOS 5.0 performs best, followed by Android 14. (2) We carefully select 1246 popular apps to view their actual usage of custom root certificates. 42% of them have configuration issues with custom implementations, and some even enable HTTP communication, which indicates that while customizing root certificates provides convenience to users, it also introduces security risks. Finally, we evaluate the priority of root certificates from different sources to help users better understand the root certificates used by the current TLS connection. In general, both manufacturers and developers need to further improve their management and usage of root certificates.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Tracing Your Roots: Exploring the Security Issues of Root Certificates in Android TLS Connections

  • Xinyu Wei,
  • Yuewu Wang,
  • Lingguang Lei,
  • Peng Wang,
  • Chunjing Kou,
  • Siyuan Ma

摘要

The widespread adoption of Transport Layer Security (TLS) relies on rigorous certificate verification, but our large-scale analysis reveals shocking security issues in the root certificates themselves and their configuration that undermine TLS authentication guarantees. This paper uncovers security issues at two distinct levels: (1) The default root certificate list on platforms ranging from Android 7 to 14 and HarmonyOS 3.0 to 5.0 contains non-compliant root certificates, such as those associated with critical CVE vulnerability, certificates expired for over four years, and those using weak cryptography algorithm. Overall, HarmonyOS 5.0 performs best, followed by Android 14. (2) We carefully select 1246 popular apps to view their actual usage of custom root certificates. 42% of them have configuration issues with custom implementations, and some even enable HTTP communication, which indicates that while customizing root certificates provides convenience to users, it also introduces security risks. Finally, we evaluate the priority of root certificates from different sources to help users better understand the root certificates used by the current TLS connection. In general, both manufacturers and developers need to further improve their management and usage of root certificates.