The security of today’s Web rests in part on the set of X.509 certificate
authorities trusted by each user’s browser. Users generally
do not themselves configure their browser’s root store but instead
rely upon decisions made by the suppliers of either the browsers
or the devices upon which they run. In this work we explore the
nature and implications of these trust decisions for Android users.
Drawing upon datasets collected by Netalyzr for Android and ICSI’s
Certificate Notary, we characterize the certificate root store population
present in mobile devices in the wild. Motivated by concerns
that bloated root stores increase the attack surface of mobile users,
we report on the interplay of certificate sets deployed by the device
manufacturers, mobile operators, and the Android OS. We identify
certificates installed exclusively by apps on rooted devices, thus
breaking the audited and supervised root store model, and also discover
use of TLS interception via HTTPS proxies employed by a
market research company
more here.............http://www.icir.org/johanna/papers/conext14tangledmass.pdf
authorities trusted by each user’s browser. Users generally
do not themselves configure their browser’s root store but instead
rely upon decisions made by the suppliers of either the browsers
or the devices upon which they run. In this work we explore the
nature and implications of these trust decisions for Android users.
Drawing upon datasets collected by Netalyzr for Android and ICSI’s
Certificate Notary, we characterize the certificate root store population
present in mobile devices in the wild. Motivated by concerns
that bloated root stores increase the attack surface of mobile users,
we report on the interplay of certificate sets deployed by the device
manufacturers, mobile operators, and the Android OS. We identify
certificates installed exclusively by apps on rooted devices, thus
breaking the audited and supervised root store model, and also discover
use of TLS interception via HTTPS proxies employed by a
market research company
more here.............http://www.icir.org/johanna/papers/conext14tangledmass.pdf