Android OEM Keys Leaked, Still Not Getting an iPhone

Posted on Tuesday, Dec 6, 2022 by Ned Bellavance

Featured in this episode of Chaos Lever

I’m sorry Chris, I’m just a contrarian at heart and when people tell me how great something is- oftentimes at great and exhaustive length- I’m primed to run in the other direction. In this case, from the iPhone 3G directly into the arms of Android, where I have comfortably (mostly) stayed for the last 11 years. Christ, has it really been 11 years? Hold on… carry the 2… yup 2011 HTC Thunderbolt.

Er, so anyway, turns out that the signing keys for many of the biggest Android OEMs have been leaked, in some cases for years and they are still actively being used by those same OEMs. Samsung, in particular, continues to use their leaked key to sign app updates for their suite of add-ons, like Bixby and Samsung Pay. Given that Samsung has a 28% market share (second only to Apple), that’s… bad? Yes, bad. How bad? That part is harder to say.

According to a story from Ars Technica, Samsung has been frustratingly opaque about why they are still using the leaked signing keys and what measures they have taken to prevent malicious copycat apps from using the keys. Based on some excellent detail from Mishaal Rahman, cohost of the Android Show, signing keys are used to prove the provenance of applications for Android. The developer signs the updated app with the key, and Android checks to make sure the key of the update matches the current key of the app. Apps coming from the Google Play store are routinely scanned and are forced to update their keys on a regular basis, which is a good thing!

However, pre-loaded apps from the OEM do not go through the same channel, and have the added bonus of being able to run as the Android system. That’s right, more permissions and less security. Hurray? There are other controls in place to help prevent rogue updates from hitting your Samsung phone, but both Google and Samsung haven’t clarified what those protections are and what users can do to improve their security. The best course of action is to only install Android apps from the Play Store and disable preloaded apps that you don’t use. Or buy an iPhone, you sheep.