Mobile App Distribution Transparency (MADT): Design and Evaluation of a System to Mitigate Necessary Trust in Mobile App Distribution Systems

Current mobile app distribution systems use (asymmetric) digital signatures to ensure integrity and authenticity for their apps. However, there are realistic threat models under which trust in such signatures is compromised. One example is an unconsciously leaked signing key that allows an attacker to distribute malicious updates to an existing app; other examples are intentional key sharing as well as insider attacks. Recent app store policy changes like Google Play Signing (and other similar OEM and free app stores like F-Droid) are a practically relevant case of intentional key sharing: such distribution systems take over key handling and create app signatures themselves, breaking up the previous end-to-end verifiable trust from developer to end-user device. This paper addresses these threats by proposing a system design that incorporates transparency logs and end-to-end verification in mobile app distribution systems to make unauthorized distribution attempts transparent and thus detectable. We analyzed the relevant security considerations with regard to our threat model as well as the security implications in the case where an attacker is able to compromise our proposed system. Finally, we implemented an open-source prototype extending F-Droid, which demonstrates practicability, feasibility, and performance of our proposed system.