近日,中国科学院大学密码学院在移动终端密钥安全保护领域取得最新研究进展。由密码学院王跃武研究员指导的论文《Cross-Application Key Abuse Attack against Hardware-backed Android Keystore》,被IEEE International Conference on Communications(ICC 2026)正式接收。
该研究系统分析了Android Keystore硬件密钥保护机制的访问控制模型,揭示了其安全性高度依赖不可信的富执行环境这一根本性缺陷。这一发现表明,硬件密钥保护的实际安全性不仅取决于密码学隔离,更依赖于开发者在软件层面的策略配置,当前Android生态中普遍存在的认证配置缺陷使跨应用密钥滥用成为一种现实且普遍的威胁。
Abstract: The Android Keystore is a cornerstone of mobile security, providing application developers with hardware-backed protection for cryptographic keys. While hardware isolation prevents direct key extraction, it cannot stop malicious applications from misusing keys. We systematically analyze the Keystore’s access control model and reveal its strong reliance on the untrusted Rich Execution Environment (REE), which exposes protected keys to cross-application abuse. We demonstrate the feasibility of such attacks on real devices through a two-step process: UID spoofing and user authentication bypass. Since the latter depends on application-level Keystore authentication settings, we analyzed 160 Android applications, including the top 100 most-downloaded apps on Google Play and 60 two-factor authentication (2FA) apps. Among the 2FA apps, 32 used the hardware-backed Keystore, yet most misconfigured authentication: 21 lacked it entirely, six used long validity windows, and eight misused biometric binding, leaving hardware-protected keys exposed.
论文信息:Zeping Wu, Lingguang Lei, Pingjian Wang, Yuewu Wang, Xiaojuan Feng, and Hang Zhang: "Cross-Application Key Abuse Attack against Hardware-backed Android Keystore," in IEEE International Conference on Communications 2026 (ICC 2026).
