Software Engineering Institute

We all have secrets. And the way we keep them secrets is by not telling them to others. Either because of inappropriate design, or by sheer accident, many publicly-available Android applications include private keys in them. By processing over 1 million applications from the Google Play Store, I have found thousands of private key files that are not private. Discovered private keys include PGP private keys, SSH private keys, OpenVPN keys, Android app signing keys, iOS app signing keys, HTTPS web server keys, and more. Password cracking techniques will also be discussed. Especially with password-protected private keys that are not used by the Android applications themselves, the key details and potential uses for them cannot be known until they are cracked.