A Tangled Mass: The Android Root Certificate Stores

TitleA Tangled Mass: The Android Root Certificate Stores
Publication TypeConference Paper
Year of Publication2014
AuthorsVallina-Rodriguez, N., Amann J., Kreibich C., Weaver N., & Paxson V.
Other Numbers3736

The security of today’s Web rests in part on the set of X.509 certificate authorities trusted by each user’s browser. Users generallydo not themselves configure their browser’sroot storebut insteadrely upon decisions made by the suppliers of either the browsersor the devices upon which they run. In this work we explore thenature and implications of these trust decisions for Android users.Drawing upon datasets collected by Netalyzr for Android and ICSI’sCertificate Notary, we characterize the certificate root store population present in mobile devices in the wild. Motivated by concernsthat bloated root stores increase the attack surface of mobile users,we report on the interplay of certificate sets deployed by the devicemanufacturers, mobile operators, and the Android OS. We identifycertificates installed exclusively by apps on rooted devices, thusbreaking the audited and supervised root store model, and also discover use of TLS interception via HTTPS proxies employed by amarket research company.


We are deeply grateful to Netalyzr’s many users for making this studypossible, and also for their helpful feedback. We would like to thankthe anonymous reviewers for their valuable comments.This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 1213157 (“User-Centric Network Measurement”), CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"), and CNS : 0831535 ("Comprehensive Application Analysis and Control"), and by the DHS Directorate of Science and Technology through grant N66001- 12-C-0128. We also wish to thank Amazon, Comcast, and Google for their generous support. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

Bibliographic Notes

Proceedings of the 10th International Conference on emerging Networking EXperiments and Technologies (CoNEXT), Sydney, Australia

Abbreviated Authors

N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings