Skip to main content
SpringerLink
Log in

Mobile App Distribution Transparency (MADT): Design and Evaluation of a System to Mitigate Necessary Trust in Mobile App Distribution Systems

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14324))

Included in the following conference series:

  • 228 Accesses

Abstract

Current mobile app distribution systems use (asymmetric) digital signatures to ensure integrity and authenticity for their apps. However, there are realistic threat models under which trust in such signatures is compromised. One example is an unconsciously leaked signing key that allows an attacker to distribute malicious updates to an existing app; other examples are intentional key sharing as well as insider attacks. Recent app store policy changes like Google Play Signing (and other similar OEM and free app stores like F-Droid) are a practically relevant case of intentional key sharing: such distribution systems take over key handling and create app signatures themselves, breaking up the previous end-to-end verifiable trust from developer to end-user device. This paper addresses these threats by proposing a system design that incorporates transparency logs and end-to-end verification in mobile app distribution systems to make unauthorized distribution attempts transparent and thus detectable. We analyzed the relevant security considerations with regard to our threat model as well as the security implications in the case where an attacker is able to compromise our proposed system. Finally, we implemented an open-source prototype extending F-Droid, which demonstrates practicability, feasibility, and performance of our proposed system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    As developer identities are not directly verified by most Android app distribution systems, authenticity of signing keys is typically only guaranteed in the Trust-on-First-Use (TOFU) model.

  2. 2.

    We consider a particular tree to be fully represented by its root hash, which can in turn be contained within an updated or larger tree with a different root hash. Within the scope of inclusion proofs we thus use the terms ‘tree’ and ‘root hash’ interchangeably wrt. the provided security guarantee.

  3. 3.

    Most of the threats that we have identified can also be found elsewhere [2, 3, 17, 19, 23].

  4. 4.

    Payment and IP protection mechanisms are already addressed in existing systems and considered out of scope of the threat model in this paper.

  5. 5.

    Note that global passive adversaries may learn which apps are installed by clients by monitoring transmitted inclusion proofs, leaf log entries, and/or the embedded APK metadata. However, as there are many other ways to learn the same information under our threat model, we consider this as out of scope and not a reason for keeping such data confidential.

  6. 6.

    https://f-droid.org/repo/index-v2.json (accessed: 2023-02-07).

  7. 7.

    In terms of efficiency comparison, we are not even assuming proof-of-work consensus algorithms, but permissioned ledgers comparable to the authentication of submitters performed by the personality.

References

  1. Aryan, S., Aryan, H., Halderman, J.A.: Internet censorship in Iran: a first look. In: 3rd USENIX Workshop on Free and Open Communications on the Internet (FOCI 2013), Washington, DC, USA. USENIX Association (2013). https://www.usenix.org/conference/foci13/workshop-program/presentation/aryan

  2. Barrera, D., McCarney, D., Clark, J., van Oorschot, P.C.: Baton: certificate agility for android’s decentralized signing infrastructure. In: WiSec 2014: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, Oxford, United Kingdom, pp. 1–12. ACM (2014). https://doi.org/10.1145/2627393.2627397

  3. Basin, D., Cremers, C., Kim, T.H.J., Perrig, A., Sasse, R., Szalachowski, P.: ARPKI: attack resilient public-key infrastructure. In: CCS 2014: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, pp. 382–393. ACM (2014). https://doi.org/10.1145/2660267.2660298

  4. Chacon, S., Straub, B.: Pro Git, 2nd edn. Apress, Berkeley (2022). https://git-scm.com/book/en/v2

  5. Coufalìková, A., Klaban, I., Šlajs, T.: Complex strategy against supply chain attacks. In: 2021 International Conference on Military Technologies (ICMT), Brno, Czech Republic, pp. 1–5. IEEE (2021). https://doi.org/10.1109/ICMT52455.2021.9502768

  6. Cutter, A., Drysdale, D.: Trillian Personalities (2022). https://github.com/google/trillian/blob/05001d1876f9340e42ba8b839c94e1b79246207b/docs/Personalities.md

  7. Di Pierro, M.: What is the blockchain? Comput. Sci. Eng. 19(5), 92–95 (2017). https://doi.org/10.1109/MCSE.2017.3421554

    Article  Google Scholar 

  8. Eijdenberg, A., Laurie, B., Cutter, A.: Verifiable data structures (2015). https://github.com/google/trillian/blob/30160804ab5203cde4412fe26f55a4149112bd92/docs/papers/VerifiableDataStructures.pdf

  9. F-Droid: Docs - F-Droid - Free and Open Source Android App Repository (2023). https://f-droid.org/docs/. Accessed 23 Jan 2023

  10. Google: Certificate Transparency (2023). https://certificate.transparency.dev/. Accessed 23 Jan 2023

  11. Google: How Log Proofs Work - Certificate Transparency (2023). https://sites.google.com/site/certificatetransparency/log-proofs-work. Accessed 23 Jan 2023

  12. Google: Use Play App Signing - Play Console Help (2023). https://support.google.com/googleplay/android-developer/answer/9842756. Accessed 12 Jan 2023

  13. Herr, T., Loomis, W., Scott, S., Lee, J., Schroeder, E.: Breaking Trust - Shades of Crisis Across an Insecure Software Supply Chain (2021). https://www.usenix.org/conference/enigma2021/presentation/herr

  14. Kumar, R., Virkud, A., Raman, R.S., Prakash, A., Ensafi, R.: A large-scale investigation into geodifferences in mobile apps. In: Proceedings of the 31st USENIX Security Symposium (USENIX Security 2022), Boston, MA, USA, pp. 1203–1220. USENIX Association (2022). www.usenix.org/conference/usenixsecurity22/presentation/kumar

  15. Laurie, B., Langley, A., Kasper, E.: RFC 6962: Certificate Transparency (2013). https://doi.org/10.17487/RFC6962

  16. Laurie, B., Messeri, E., Stradling, R.: RFC 9162: Certificate Transparency Version 2.0 (2021). https://doi.org/10.17487/RFC9162

  17. Mayrhofer, R., Stoep, J.V., Brubaker, C., Kralevich, N.: The Android platform security model. ACM Trans. Priv. Secur. 24(3), 1–35 (2021). https://doi.org/10.1145/3448609

    Article  Google Scholar 

  18. Meiklejohn, S., et al.: Think global, act local: gossip and client audits in verifiable data structures. Computing Research Repository (CoRR) (2020). arXiv:2011.04551. https://doi.org/10.48550/ARXIV.2011.04551

  19. Melara, M.S., Blankstein, A., Bonneau, J., Felten, E.W., Freedman, M.J.: CONIKS: bringing key transparency to end users. In: Proceedings of the 24th USENIX Security Symposium (USENIX Security 2015), Washington, DC, USA, pp. 383–398. USENIX Association (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/melara

  20. Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_32

    Chapter  Google Scholar 

  21. Mozilla: Certificate Transparency (2023). https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency. Accessed 23 Jan 2023

  22. Nicas, J., Zhong, R., Wakabayashi, D.: Censorship, surveillance and profits: a hard bargain for Apple in China. The New York Times (2021). https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html. Accessed 23 Jan 2023

  23. Nikitin, K., et al.: CHAINIAC: proactive software-update transparency via collectively signed skipchains and verified builds. In: Proceedings of the 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC, Canada, pp. 1271–1287. USENIX Association (2017). www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/nikitin

  24. Nordberg, L., Gillmor, D.K., Ritter, T.: Gossiping in CT. Internet-Draft draft-ietf-trans-gossip-05, Internet Engineering Task Force (2018). https://datatracker.ietf.org/doc/draft-ietf-trans-gossip/05/. Work in Progress

  25. Steiner, H.C.: Binary Transparency Log for https://guardianproject.info/fdroid (2023). https://github.com/guardianproject/binary_transparency_log. Accessed 23 Jan 2023

  26. Syta, E., et al.: Keeping authorities “honest or bust” with decentralized witness cosigning. In: 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, pp. 526–545. IEEE (2016). https://doi.org/10.1109/SP.2016.38

  27. The MITRE Corporation: Supply Chain Compromise (2023). https://attack.mitre.org/techniques/T1195/. Accessed 23 Jan 2023

  28. The Tor Project: Tor Project - Anonymity Online (2023). https://www.torproject.org/. Accessed 07 Feb 2023

Download references

Acknowledgment

This work has been carried out within the scope of Digidow, the Christian Doppler Laboratory for Private Digital Authentication in the Physical World and has partially been supported by the LIT Secure and Correct Systems Lab. We gratefully acknowledge financial support by the Austrian Federal Ministry of Labour and Economy, the National Foundation for Research, Technology and Development, the Christian Doppler Research Association, 3 Banken IT GmbH, ekey biometric systems GmbH, Kepler Universitätsklinikum GmbH, NXP Semiconductors Austria GmbH & Co KG, Österreichische Staatsdruckerei GmbH, and the State of Upper Austria.

Author information

Authors and Affiliations

  1. Johannes Kepler University Linz, Altenberger Straße 69, 4040, Linz, Austria

    Mario Lins, René Mayrhofer & Michael Roland

  2. Department of Computer Science and Technology, University of Cambridge, Cambridge, CB3 0FD, UK

    Alastair R. Beresford

Authors
  1. Mario Lins
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. René Mayrhofer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Roland
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alastair R. Beresford
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mario Lins .

Editor information

Editors and Affiliations

  1. OsloMet – Oslo Metropolitan University, Oslo, Norway

    Lothar Fritsch

  2. OsloMet – Oslo Metropolitan University, Oslo, Norway

    Ismail Hassan

  3. OsloMet - Oslo Metropolitan University, Oslo, Norway

    Ebenezer Paintsil

A Availability

A Availability

Our prototype implementation consists of the following component repositories and is publicly available.

We also provide a running personality with this version of the codebase along with a transparency log running the unmodified Google Trillian case (from https://github.com/google/trillian) that has been pre-filled with APK metadata from the index of the official F-Droid repository as well as some of our test apps using the Android library for verification. It is available through a Tor Onion service at http://madtl6agno7zze4ll66ylxmb4lkmb72attwfhcmfbspyx35v4e6ut5ad.onion/Log/ListTrees.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lins, M., Mayrhofer, R., Roland, M., Beresford, A.R. (2024). Mobile App Distribution Transparency (MADT): Design and Evaluation of a System to Mitigate Necessary Trust in Mobile App Distribution Systems. In: Fritsch, L., Hassan, I., Paintsil, E. (eds) Secure IT Systems. NordSec 2023. Lecture Notes in Computer Science, vol 14324. Springer, Cham. https://doi.org/10.1007/978-3-031-47748-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-47748-5_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-47747-8

  • Online ISBN: 978-3-031-47748-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation