[Cryptography] Cryptographic signing of software is security theater

[Jerry Leichter]

Ars Technica reports (https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/) on a recent finding that a number of keys used to sign Android apps - including some with system-level privileges - have leaked.  These are the signatures that are supposed to ensure that updates are from the original producer of the apps or other software.

We're not talking about software from some minor app vendors:  Among the leaked keys are those belonging to LG, Mediatek - and Samsung.  Samsung's single key is used to sign pretty much every piece of software Samsung ships.  Samples of malware signed with that key have been found dating back to 2016, so it was out in the wild 6+ years ago!  Meanwhile, Samsung continues to use the same compromised key.

Samsung of course says it "takes the security of Galaxy devices seriously. We have issued security patches since 2016..." which somehow fix the problem.  The Android security team also says this isn't such a big deal because "OEM partners  promptly implemented mitigation measures" and Google also has malware detection mechanisms as part of the Google Play Store.

So ... since the keys have been out there for years, the cryptographic signatures based on them cannot be adding any security.  Either the unspecified "mitigation mechanisms" work, or they don't - but regardless the signatures themselves are just theater at this point.
                                                        -- Jerry