Table of Contents
Fetching ...

DROIDCCT: Cryptographic Compliance Test via Trillion-Scale Measurement

Daniel Moghimi, Alexandru-Cosmin Mihai, Borbala Benko, Catherine Vlasov, Elie Bursztein, Kurt Thomas, Laszlo Siroki, Pedro Barbosa, Remi Audebert

TL;DR

DROIDCCT presents a trillion-scale telemetry framework that passively analyzes Android Keystore cryptographic operations across hundreds of millions of devices to uncover weak randomness, buggy implementations, and timing side channels. By integrating signals via Play Integrity API and applying cross-validation, randomness testing, public-key analysis, and side-channel pipelines, the study reveals heterogeneous, often insecure cryptographic behavior across chipsets and API levels. Key findings include widespread key import and cipher failures, numerous weak RSA keys, and detectable ECDSA timing leaks, with device-tier and chipset-dependent patterns. The work demonstrates that scalable, open testing can drive actionable improvements and stronger, more transparent cryptographic implementations. The results highlight practical implications for compliance testing, hardware-backed security, and the urgency of patching and standardizing cryptographic behavior across the Android ecosystem.

Abstract

We develop DroidCCT, a distributed test framework to evaluate the scale of a wide range of failures/bugs in cryptography for end users. DroidCCT relies on passive analysis of artifacts from the execution of cryptographic operations in the Android ecosystem to identify weak implementations. We collect trillions of samples from cryptographic operations of Android Keystore on half a billion devices and apply severalanalysis techniques to evaluate the quality of cryptographic output from these devices and their underlying implementations. Our study reveals several patterns of bugs and weakness in cryptographic implementations from various manufacturers and chipsets. We show that the heterogeneous nature of cryptographic implementations results in non-uniform availability and reliability of various cryptographic functions. More importantly, flaws such as the use of weakly-generated random parameters, and timing side channels may surface across deployments of cryptography. Our results highlight the importance of fault- and side-channel-resistant cryptography and the ability to transparently and openly test these implementations.

DROIDCCT: Cryptographic Compliance Test via Trillion-Scale Measurement

TL;DR

DROIDCCT presents a trillion-scale telemetry framework that passively analyzes Android Keystore cryptographic operations across hundreds of millions of devices to uncover weak randomness, buggy implementations, and timing side channels. By integrating signals via Play Integrity API and applying cross-validation, randomness testing, public-key analysis, and side-channel pipelines, the study reveals heterogeneous, often insecure cryptographic behavior across chipsets and API levels. Key findings include widespread key import and cipher failures, numerous weak RSA keys, and detectable ECDSA timing leaks, with device-tier and chipset-dependent patterns. The work demonstrates that scalable, open testing can drive actionable improvements and stronger, more transparent cryptographic implementations. The results highlight practical implications for compliance testing, hardware-backed security, and the urgency of patching and standardizing cryptographic behavior across the Android ecosystem.

Abstract

We develop DroidCCT, a distributed test framework to evaluate the scale of a wide range of failures/bugs in cryptography for end users. DroidCCT relies on passive analysis of artifacts from the execution of cryptographic operations in the Android ecosystem to identify weak implementations. We collect trillions of samples from cryptographic operations of Android Keystore on half a billion devices and apply severalanalysis techniques to evaluate the quality of cryptographic output from these devices and their underlying implementations. Our study reveals several patterns of bugs and weakness in cryptographic implementations from various manufacturers and chipsets. We show that the heterogeneous nature of cryptographic implementations results in non-uniform availability and reliability of various cryptographic functions. More importantly, flaws such as the use of weakly-generated random parameters, and timing side channels may surface across deployments of cryptography. Our results highlight the importance of fault- and side-channel-resistant cryptography and the ability to transparently and openly test these implementations.
Paper Structure (37 sections, 12 figures, 12 tables)

This paper contains 37 sections, 12 figures, 12 tables.

Figures (12)

  • Figure 1: DroidCCT: A test app that exercises different cryptographic functions collect samples from real devices, then the samples are aggregated and processed for various signals to assess the correctness of implementations.
  • Figure 2: Devices that support strongbox, based on the year they were released, broken down by device tier.
  • Figure 3: Execution time of cryptographic operations for StrongBox and TEEs, broken down by device tier and operation type. All times are in milliseconds.
  • Figure 4: Frequency of errors for key operations.
  • Figure 5: Frequency of different errors among ciphers.
  • ...and 7 more figures