search menu icon-carat-right cmu-wordmark

Keep it Like a Secret: When Android Apps Contain Private Keys

This presentation was given by Will Doorman, member of the CERT Technical staff, at the 2018 BSidesSF Conference on April 15 and April 16, 2018 at the City View at Metreon.

Software Engineering Institute


We all have secrets. And the way we keep them secrets is by not telling them to others. Either because of inappropriate design, or by sheer accident, many publicly-available Android applications include private keys in them. By processing over 1 million applications from the Google Play Store, I have found thousands of private key files that are not private. Discovered private keys include PGP private keys, SSH private keys, OpenVPN keys, Android app signing keys, iOS app signing keys, HTTPS web server keys, and more. Password cracking techniques will also be discussed. Especially with password-protected private keys that are not used by the Android applications themselves, the key details and potential uses for them cannot be known until they are cracked.