KeyDroid: A Large-Scale Analysis of Secure Key Storage in Android Apps

TL;DR

This paper provides a comprehensive analysis of Android's hardware-backed key storage, revealing low adoption rates among apps handling sensitive data and evaluating the performance trade-offs of different trusted hardware implementations.

Contribution

It is the first large-scale survey of Android trusted hardware usage and performance, highlighting adoption gaps and practical limitations of secure elements.

Findings

56.3% of sensitive-data apps do not use trusted hardware

Only 5.03% of apps use the strongest hardware security

Hardware-backed cryptography is feasible for common operations, but not for high-security requirements

Abstract

Most contemporary mobile devices offer hardware-backed storage for cryptographic keys, user data, and other sensitive credentials. Such hardware protects credentials from extraction by an adversary who has compromised the main operating system, such as a malicious third-party app. Since 2011, Android app developers can access trusted hardware via the Android Keystore API. In this work, we conduct the first comprehensive survey of hardware-backed key storage in Android devices. We analyze 490 119 Android apps, collecting data on how trusted hardware is used by app developers (if used at all) and cross-referencing our findings with sensitive user data collected by each app, as self-reported by developers via the Play Store's data safety labels. We find that despite industry-wide initiatives to encourage adoption, 56.3% of apps self-reporting as processing sensitive user data do not use Android's trusted hardware capabilities at all, while just 5.03% of apps collecting some form of sensitive data use the strongest form of trusted hardware, a secure element distinct from the main processor. To better understand the potential downsides of using secure hardware, we conduct the first empirical analysis of trusted hardware performance in mobile devices, measuring the runtime of common cryptographic operations across both software- and hardware-backed keystores. We find that while hardware-backed key storage using a coprocessor is viable for most common cryptographic operations, secure elements capable of preventing more advanced attacks make performance infeasible for symmetric encryption with non-negligible payloads and any kind of asymmetric encryption.