Exploring the android TLS certificate ecosystem in China

Abstract The HTTPS certificate ecosystem has long been a key topic in cybersecurity, yet the certificate landscape of Android applications remains insufficiently studied. In particular, while China has actively promoted the adoption of China’s national cryptographic algorithms in recent years, their actual deployment within the Chinese Android certificate ecosystem remains unclear. In this study, we analyzed TLS traffic from 19,980 applications in the Huawei App Market and extracted 131,933 certificate chains. While most certificates are properly configured, we identified 530 certificates with security risks, affecting 2043 applications. Notably, three SDK-related risk certificates were propagated across 1462 applications, substantially widening their security impact. Only 94 certificates using China’s national cryptographic algorithms were found, all within 89 financial applications, indicating deployment driven mainly by regulatory compliance. Furthermore, nearly 99% of leaf certificates chain back to foreign root Certificate Authorities, underscoring a strong dependency that may pose digital sovereignty risks under geopolitical uncertainty. This study highlights the existing challenges in the Chinese Android certificate ecosystem, particularly in terms of security and digital sovereignty, and offers relevant recommendations for improvement.