国科大密码学院王跃武研究员指导学生,针对Android系统TLS连接的根证书展开研究。在21st International Conference on Information Security and Cryptology(Inscrypt 2025)发表了题为“Tracing Your Roots: Exploring the Security Issues of Root Certificates in Android TLS Connections”的研究论文。2025年10月,论文第一作者参加了Inscrypt 2025国际会议,并在会上对该项研究工作进行了英文汇报。
Abstract:The widespread adoption of Transport Layer Security (TLS) relies on rigorous certificate verification, but our large-scale analysis reveals shocking security issues in the root certificates themselves and their configuration that undermine TLS authentication guarantees. This paper uncovers security issues at two distinct levels: (1) The default root certificate list on platforms ranging from Android 7 to 14 and HarmonyOS 3.0 to 5.0 contains non-compliant root certificates, such as those associated with critical CVE vulnerability, certificates expired for over four years, and those using weak cryptography algorithm. Overall, HarmonyOS 5.0 performs best, followed by Android 14. (2) We carefully select 1246 popular apps to view their actual usage of custom root certificates. 42% of them have configuration issues with custom implementations, and some even enable HTTP communication, which indicates that while customizing root certificates provides convenience to users, it also introduces security risks. Finally, we evaluate the priority of root certificates from different sources to help users better understand the root certificates used by the current TLS connection. In general, both manufacturers and developers need to further improve their management and usage of root certificates.
论文信息:Xinyu Wei, Yuewu Wang, Lingguang Lei, Peng Wang, Chunjing Kou and Siyuan Ma. Tracing Your Roots: Exploring the Security Issues of Root Certificates in Android TLS Connections. (Inscrypt 2025)
