According to GlobalStat, Android smartphones accounted for more than 72% of the market share in 2023, highlighting the increasing importance of Android security. Existing research typically examines certificate validation issues at the application level, although these issues can originate from multiple sources, including app developers and the authors of various libraries (e.g., ads, analytics) used in the applications. In this project, we employ certificates with common and well-documented validation issues: Unverified Certificate Signature: The app accepts any received certificate without verifying its signature, although it may still check the expiration date and domain name. Self-Signed Certificate: The app validates the signature using the public key contained in the certificate itself but may also verify the expiration date and domain name. Expired Certificate: The app securely validates the domain and signature of the certificate but ignores its validity period. Domain Mismatch: The app checks the certificate's expiration date and signature but skips verifying the match between the certificate's domain and the server name. Tasks: Conduct an automated analysis. Build a dataset of applications from the Google Play Store. Identify certificate validation issues. Run selected applications on devices with Android 13 factory images. Emphasize the importance of TLS security among app developers.

According to GlobalStat, Android smartphones accounted for more than 72% of the market share in 2023, highlighting the increasing importance of Android security. Existing research typically examines certificate validation issues at the application level, although these issues can originate from multiple sources, including app developers and the authors of various libraries (e.g., ads, analytics) used in the applications. In this project, we employ certificates with common and well-documented validation issues: Unverified Certificate Signature: The app accepts any received certificate without verifying its signature, although it may still check the expiration date and domain name. Self-Signed Certificate: The app validates the signature using the public key contained in the certificate itself but may also verify the expiration date and domain name. Expired Certificate: The app securely validates the domain and signature of the certificate but ignores its validity period. Domain Mismatch: The app checks the certificate's expiration date and signature but skips verifying the match between the certificate's domain and the server name. Tasks: Conduct an automated analysis. Build a dataset of applications from the Google Play Store. Identify certificate validation issues. Run selected applications on devices with Android 13 factory images. Emphasize the importance of TLS security among app developers.