Baton: Key Agility for Android without a Centralized Certificate Infrastructure

Android’s trust-on-first-use application signing model associates developers with a fixed signing key, but lacks a mechanism to transparently update the key or renew their signing certificate. As an advantage, this feature allows application updates to be recognized as authorized by a party with access to the original signing key. Changing keys or certificates requires that end-users manually uninstall/reinstall apps, losing all non-backed up user data. In this paper, we show that with appropriate OS support, developers can securely and without user intervention transfer signing authority to a new signing key. Our proposal, Baton, modifies Android’s app installation framework enabling key agility while preserving backwards compatibility with current apps and current Android releases. Baton is designed to work consistently with current UID sharing and signature permission requirements. We discuss the technical changes made to Android, and remaining open issues such as key loss and signing authority revocation on Android.

[1]  Justin Cappos,et al.  A look in the mirror: attacks on package managers , 2008, CCS.

[2]  Cathleen Wharton,et al.  The cognitive walkthrough method: a practitioner's guide , 1994 .

[3]  Paul C. van Oorschot,et al.  Self-Signed Executables: Restricting Replacement of Program Binaries by Malware , 2007, HotSec.

[4]  Nick Mathewson,et al.  Survivable key compromise in software update systems , 2010, CCS '10.

[5]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[6]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[7]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[8]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[9]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[10]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[11]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[13]  Jeremy Clark,et al.  Usability of anonymous web browsing: an examination of Tor interfaces and deployability , 2007, SOUPS '07.

[14]  Paul C. van Oorschot,et al.  Reducing Unauthorized Modification of Digital Objects , 2012, IEEE Transactions on Software Engineering.

[15]  William Enck,et al.  Meteor: Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems , 2012 .

[16]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[17]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[18]  Jakob Nielsen,et al.  Usability inspection methods , 1994, CHI 95 Conference Companion.

[19]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[20]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[21]  Jeremy Clark,et al.  Understanding and improving app installation security mechanisms through empirical analysis of android , 2012, SPSM '12.