Research Uncovers Vulnerabilities in Android Key Attestation

The video presents research by Alex, a senior red team engineer at Amazon, on vulnerabilities in Android Key Attestation, a mechanism designed to verify that cryptographic keys are stored in secure hardware on Android devices. The investigation began after a bot fraud and abuse case disrupted a service where users competed for offers via an Android app, leading the target company to implement key attestation to raise the barrier for bot operators. Alex identified three common PKI issues—certificate chain of trust validation, certificate revocation list checks, and hard-coded certificates—along with a critical flaw in a Google-vended library that failed to validate basic constraints and key usage extensions in X.509 certificates, enabling certificate extension attacks. The library, released in 2016 and marked for production use, was patched in 2023 without a CVE, leaving implementations vulnerable if developers did not manually update their code. Testing revealed that bot traffic dropped from 30% to 2% after fixes were applied, demonstrating the effectiveness of proper attestation when correctly implemented. Google later deprecated the library in late 2024, redirecting developers to a new, unfinished version while leaving outdated documentation in place. The research also uncovered organized efforts by threat actors to circumvent attestation, including discussions in Telegram channels and attempts to exploit compromised key boxes. Alex released a tool called KIA Tester to help developers validate their implementations against these vulnerabilities.