{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T10:16:57Z","timestamp":1773829017664,"version":"3.50.1"},"reference-count":38,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T00:00:00Z","timestamp":1773792000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T00:00:00Z","timestamp":1773792000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No. 62202486"],"award-info":[{"award-number":["No. 62202486"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U22B2005"],"award-info":[{"award-number":["U22B2005"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100013058","name":"Jiangsu Provincial Key Research and Development Program","doi-asserted-by":"publisher","award":["No. BE2023004-4"],"award-info":[{"award-number":["No. BE2023004-4"]}],"id":[{"id":"10.13039\/501100013058","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012269","name":"Science and Technology Innovative Research Team in Higher Educational Institutions of Hunan Province","doi-asserted-by":"publisher","award":["No. 2024RC3139"],"award-info":[{"award-number":["No. 2024RC3139"]}],"id":[{"id":"10.13039\/501100012269","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>The HTTPS certificate ecosystem has long been a key topic in cybersecurity, yet the certificate landscape of Android applications remains insufficiently studied. In particular, while China has actively promoted the adoption of China\u2019s national cryptographic algorithms in recent years, their actual deployment within the Chinese Android certificate ecosystem remains unclear. In this study, we analyzed TLS traffic from 19,980 applications in the Huawei App Market and extracted 131,933 certificate chains. While most certificates are properly configured, we identified 530 certificates with security risks, affecting 2043 applications. Notably, three SDK-related risk certificates were propagated across 1462 applications, substantially widening their security impact. Only 94 certificates using China\u2019s national cryptographic algorithms were found, all within 89 financial applications, indicating deployment driven mainly by regulatory compliance. Furthermore, nearly 99% of leaf certificates chain back to foreign root Certificate Authorities, underscoring a strong dependency that may pose digital sovereignty risks under geopolitical uncertainty. This study highlights the existing challenges in the Chinese Android certificate ecosystem, particularly in terms of security and digital sovereignty, and offers relevant recommendations for improvement.<\/jats:p>","DOI":"10.1186\/s42400-026-00560-z","type":"journal-article","created":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T07:56:51Z","timestamp":1773820611000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Exploring the android TLS certificate ecosystem in China"],"prefix":"10.1186","volume":"9","author":[{"given":"Peng","family":"Yuan","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7413-8174","authenticated-orcid":false,"given":"Shuhui","family":"Chen","sequence":"additional","affiliation":[]},{"given":"Ziling","family":"Wei","sequence":"additional","affiliation":[]},{"given":"Fei","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Zhenhao","family":"Luo","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,3,18]]},"reference":[{"key":"560_CR1","doi-asserted-by":"publisher","unstructured":"Allen C, Dierks T (1999) The TLS Protocol Version 1.0. RFC Editor . https:\/\/doi.org\/10.17487\/RFC2246","DOI":"10.17487\/RFC2246"},{"key":"560_CR2","unstructured":"AppInChina: Chinese android app store rankings and optimization guide. https:\/\/appinchina.co\/market\/app-stores\/. Accessed 2 Nov 2024 (2024)"},{"key":"560_CR3","unstructured":"Are certificate chains required in the Truststore for Mutual TLS? https:\/\/discuss.google.dev\/t\/are-certificate-chains-required-in-the-truststore-for-mutual-tls\/6890. Accessed 08 Dec 2025"},{"key":"560_CR4","unstructured":"Authors TCP (2023) Certificate Lifetimes in Chromium. https:\/\/chromium.googlesource.com\/chromium\/src\/+\/main\/net\/docs\/certificate_lifetimes.md"},{"key":"560_CR5","doi-asserted-by":"publisher","unstructured":"Boeyen S, Santesson S, Polk T, Housley R, Farrell S, Cooper D (2008) Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. RFC Editor . https:\/\/doi.org\/10.17487\/RFC5280","DOI":"10.17487\/RFC5280"},{"key":"560_CR6","doi-asserted-by":"crossref","unstructured":"Chung T, Liu Y, Choffnes D, Levin D, Maggs BM, Mislove A, Wilson C (2016) Measuring and applying invalid ssl certificates: The silent majority. In: Proceedings of the 2016 internet measurement conference, pp 527\u2013541","DOI":"10.1145\/2987443.2987454"},{"key":"560_CR7","unstructured":"Cloudflare I (2024) What is mutual TLS? https:\/\/www.cloudflare.com\/learning\/access-management\/what-is-mutual-tls\/. Accessed 2 Nov 2024"},{"key":"560_CR8","unstructured":"Cordova Azevedo A, Scheid EJ, Figueredo Franco M, Zambenedetti Granville L (2025) Assessing ssl\/tls certificate centralization: implications for digital sovereignty. arXiv e-prints, 2504"},{"key":"560_CR9","unstructured":"DigiCert I (2015) What the Acquisition of CyberTrust Roots Means. https:\/\/www.digicert.com\/blog\/what-the-acquisition-of-cybertrust-roots-means. Accessed 2 Nov 2024"},{"key":"560_CR10","unstructured":"Dongpoxiazai. https:\/\/www.uzzf.com\/ydapp\/soft.html. Accessed 02 July 2025"},{"key":"560_CR11","doi-asserted-by":"crossref","unstructured":"Durumeric Z, Kasten J, Bailey M, Halderman JA (2013) Analysis of the https certificate ecosystem. In: Proceedings of the 2013 conference on internet measurement conference, pp 291\u2013304","DOI":"10.1145\/2504730.2504755"},{"key":"#cr-split#-560_CR12.1","doi-asserted-by":"crossref","unstructured":"Fahl S, Harbach M, Muders T, Baumg\u00e4rtner L, Freisleben B, Smith M (2012) Why eve and mallory love android: an analysis of android ssl","DOI":"10.1145\/2382196.2382205"},{"key":"#cr-split#-560_CR12.2","unstructured":"(in) security. In: Proceedings of the 2012 ACM conference on computer and communications security, pp 50-61"},{"key":"560_CR13","doi-asserted-by":"crossref","unstructured":"Fahl S, Harbach M, Perl H, Koetter M, Smith M (2013) Rethinking ssl development in an appified world. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, pp 49\u201360","DOI":"10.1145\/2508859.2516655"},{"key":"560_CR14","doi-asserted-by":"crossref","unstructured":"Holz R, Braun L, Kammenhuber N, Carle G (2011) The ssl landscape: a thorough analysis of the x. 509 pki using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 427\u2013444","DOI":"10.1145\/2068816.2068856"},{"key":"560_CR15","doi-asserted-by":"crossref","unstructured":"Huang LS, Rice A, Ellingsen E, Jackson C (2014) Analyzing forged ssl certificates in the wild. In: 2014 IEEE symposium on security and privacy. IEEE, pp 83\u201397","DOI":"10.1109\/SP.2014.13"},{"key":"560_CR16","doi-asserted-by":"crossref","unstructured":"Jahromi AS, Abdou A (2021) Comparative analysis of dot and https certificate ecosystems. Proc, NDSS MADWeb","DOI":"10.14722\/madweb.2021.23027"},{"key":"560_CR17","unstructured":"jiguangxiazai. https:\/\/www.xz7.com\/android\/apps.html. Accessed 02 July 2025"},{"key":"560_CR18","doi-asserted-by":"publisher","first-page":"135742","DOI":"10.1109\/ACCESS.2020.3011137","volume":"8","author":"S Kakei","year":"2020","unstructured":"Kakei S, Shiraishi Y, Mohri M, Nakamura T, Hashimoto M, Saito S (2020) Cross-certification towards distributed authentication infrastructure: a case of hyperledger fabric. IEEE Access 8:135742\u2013135757","journal-title":"IEEE Access"},{"key":"560_CR19","doi-asserted-by":"crossref","unstructured":"Kim D, Cho H, Kwon Y, Doup\u00e9 A, Son S, Ahn GJ, Dumitras T (2021) Security analysis on practices of certificate authorities in the https phishing ecosystem. In: Proceedings of the 2021 ACM Asia conference on computer and communications security, pp 407\u2013420","DOI":"10.1145\/3433210.3453100"},{"issue":"5","key":"560_CR20","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1109\/MSP.2016.106","volume":"14","author":"J Margulies","year":"2016","unstructured":"Margulies J, Berg M (2016) That certificate you bought could get you hacked. IEEE Secur Privacy 14(5):93\u201395","journal-title":"IEEE Secur Privacy"},{"key":"560_CR21","unstructured":"Microsoft: Rotate root certificates for Azure Database for MySQL - Flexible Server. https:\/\/learn.microsoft.com\/en-us\/azure\/mysql\/flexible-server\/concepts-root-certificate-rotation. Microsoft Azure Documentation (2025)"},{"key":"560_CR22","doi-asserted-by":"publisher","unstructured":"Nystr\u00f6m M, Kaliski B (2000) PKCS #10: certification request syntax specification version 1.7. RFC Editor . https:\/\/doi.org\/10.17487\/RFC2986","DOI":"10.17487\/RFC2986"},{"key":"560_CR23","unstructured":"People\u2019s Bank of China: information system commercial cryptography application of financial industry - Basic requirements. Accessed 02 July 2025 (2022). https:\/\/cfstc.pbc.gov.cn\/bzgk\/detail\/?id=0&bzId=1990"},{"key":"560_CR24","unstructured":"Pourali S, Yu X, Zhao L, Mannan M, Youssef A (2024) Racing for $$\\{$$TLS$$\\}$$ certificate validation: A hijacker\u2019s guide to the android $$\\{$$TLS$$\\}$$ galaxy. In: 33rd USENIX security symposium (USENIX security 24), pp 683\u2013700"},{"key":"560_CR25","unstructured":"Project, C (2024) Moving Forward Together: Chromium Security Root CA Policy. https:\/\/www.chromium.org\/Home\/chromium-security\/root-ca-policy\/moving-forward-together\/. Accessed 2 Nov 2024"},{"key":"560_CR26","doi-asserted-by":"publisher","unstructured":"Purushothaman J, Thompson E, Abdou A (2022) Position paper: Certificate root stores-an area of unity or disparity? In: Proceedings of the 15th workshop on cyber security experimentation and test. CSET \u201922. Association for Computing Machinery, New York, pp 105\u2013110. https:\/\/doi.org\/10.1145\/3546096.3546110","DOI":"10.1145\/3546096.3546110"},{"key":"560_CR27","doi-asserted-by":"publisher","unstructured":"Rescorla E (2018) The Transport Layer Security (TLS) Protocol Version 1.3. RFC Editor. https:\/\/doi.org\/10.17487\/RFC8446","DOI":"10.17487\/RFC8446"},{"key":"560_CR28","unstructured":"Rongmao C, Yi W, Xinyi H (2023) Rcca-secure public-key encryption based on sm2. SCIENTIA SINICA Informationis, 266\u2013281"},{"key":"560_CR29","unstructured":"Shanghai Changzhi Network Technology Co., Ltd: LDPlayer Official Site\u2014Android Emulator for PC. https:\/\/www.ldmnq.com\/. Accessed 2 Nov 2024 (2017)"},{"key":"560_CR30","doi-asserted-by":"crossref","unstructured":"Singanamalla S, Jang EHB, Anderson R, Kohno T, Heimerl K (2020) Accept the risk and continue: Measuring the long tail of government https adoption. In: Proceedings of the ACM internet measurement conference, pp 577\u2013597","DOI":"10.1145\/3419394.3423645"},{"key":"560_CR31","doi-asserted-by":"crossref","unstructured":"Stevens M, Karpman P, Peyrin T (2016) Freestart collision for full sha-1. In: Advances in Cryptology-EUROCRYPT 2016: 35th annual international conference on the theory and applications of cryptographic techniques, Vienna, Austria, May 8\u201312, 2016, Proceedings, Part I 35. Springer, pp 459\u2013483","DOI":"10.1007\/978-3-662-49890-3_18"},{"key":"560_CR32","unstructured":"Toulas B (2022) Russia creates its own TLS certificate authority to bypass sanctions. Bleeping Computer"},{"key":"560_CR33","doi-asserted-by":"crossref","unstructured":"Vallina-Rodriguez N, Amann J, Kreibich C, Weaver N, Paxson V (2014) A tangled mass: the android root certificate stores. In: Proceedings of the 10th ACM international on conference on emerging networking experiments and technologies, pp 141\u2013148","DOI":"10.1145\/2674005.2675015"},{"key":"560_CR34","doi-asserted-by":"publisher","first-page":"182065","DOI":"10.1109\/ACCESS.2020.3029190","volume":"8","author":"X Wang","year":"2020","unstructured":"Wang X, Chen S, Su J (2020) Automatic mobile app identification from encrypted traffic with hybrid neural networks. Ieee Access 8:182065\u2013182077","journal-title":"Ieee Access"},{"key":"560_CR35","doi-asserted-by":"crossref","unstructured":"Wang X, Yin YL, Yu H (2005) Finding collisions in the full sha-1. In: Advances in cryptology-CRYPTO 2005: 25th annual international cryptology conference, Santa Barbara, California, USA, August 14\u201318, 2005. Proceedings 25. Springer, pp 17\u201336","DOI":"10.1007\/11535218_2"},{"key":"560_CR36","doi-asserted-by":"crossref","unstructured":"Wang X, Yu H (2005) How to break md5 and other hash functions. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 19\u201335","DOI":"10.1007\/11426639_2"},{"key":"560_CR37","unstructured":"Zhi Guan: GmSSL (2023) https:\/\/github.com\/guanzhi\/GmSSL. Accessed 2 Nov 2024"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-026-00560-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-026-00560-z","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-026-00560-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T07:57:18Z","timestamp":1773820638000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-026-00560-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,18]]},"references-count":38,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["560"],"URL":"https:\/\/doi.org\/10.1186\/s42400-026-00560-z","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,18]]},"assertion":[{"value":"24 April 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 February 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 March 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no Conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"139"}}