DROIDCCT: Cryptographic Compliance Test via Trillion-Scale Measurement
Daniel Moghimi, Alexandru-Cosmin Mihai, Borbala Benko, Catherine Vlasov, Elie Bursztein, Kurt Thomas, Laszlo Siroki, Pedro Barbosa, Remi Audebert
TL;DR
DROIDCCT presents a trillion-scale telemetry framework that passively analyzes Android Keystore cryptographic operations across hundreds of millions of devices to uncover weak randomness, buggy implementations, and timing side channels. By integrating signals via Play Integrity API and applying cross-validation, randomness testing, public-key analysis, and side-channel pipelines, the study reveals heterogeneous, often insecure cryptographic behavior across chipsets and API levels. Key findings include widespread key import and cipher failures, numerous weak RSA keys, and detectable ECDSA timing leaks, with device-tier and chipset-dependent patterns. The work demonstrates that scalable, open testing can drive actionable improvements and stronger, more transparent cryptographic implementations. The results highlight practical implications for compliance testing, hardware-backed security, and the urgency of patching and standardizing cryptographic behavior across the Android ecosystem.
Abstract
We develop DroidCCT, a distributed test framework to evaluate the scale of a wide range of failures/bugs in cryptography for end users. DroidCCT relies on passive analysis of artifacts from the execution of cryptographic operations in the Android ecosystem to identify weak implementations. We collect trillions of samples from cryptographic operations of Android Keystore on half a billion devices and apply severalanalysis techniques to evaluate the quality of cryptographic output from these devices and their underlying implementations. Our study reveals several patterns of bugs and weakness in cryptographic implementations from various manufacturers and chipsets. We show that the heterogeneous nature of cryptographic implementations results in non-uniform availability and reliability of various cryptographic functions. More importantly, flaws such as the use of weakly-generated random parameters, and timing side channels may surface across deployments of cryptography. Our results highlight the importance of fault- and side-channel-resistant cryptography and the ability to transparently and openly test these implementations.
