Mobile application ecosystems face imminent threats from quantum computing, as widely deployed public-key cryptosystems—including RSA and ECC—are vulnerable, and NIST-standardized post-quantum cryptography (PQC) remains entirely unadopted in practice. Method: We conduct the first large-scale static binary analysis of over 4,000 Android apps to assess quantum vulnerability and PQC readiness; further, we design and evaluate an LLM-assisted migration framework leveraging GPT-4o, Gemini Flash, and Claude Sonnet for automated cryptographic replacement. Contribution/Results: Our analysis reveals that 98.2% of apps contain quantum-vulnerable cryptographic primitives, with 0% PQC deployment. While LLMs achieve 100% success in isolated, single-function hash replacements, they fail catastrophically (100% failure rate) in cross-file, context-sensitive PQC upgrades—primarily due to inability to resolve dependency coordination and import statement repair. We propose a system-level PQC migration capability evaluation paradigm, demonstrating that purely LLM-based approaches are infeasible and underscoring the necessity of structured tooling integrated with contextual awareness.

Quantum computers threaten widely deployed cryptographic primitives such as RSA, DSA, and ECC. While NIST has released post-quantum cryptographic (PQC) standards (e.g., Kyber, Dilithium), mobile app ecosystems remain largely unprepared for this transition. We present a large-scale binary analysis of over 4,000 Android apps to assess cryptographic readiness. Our results show widespread reliance on quantum-vulnerable algorithms such as MD5, SHA-1, and RSA, while PQC adoption remains absent in production apps. To bridge the readiness gap, we explore LLM-assisted migration. We evaluate leading LLMs (GPT-4o, Gemini Flash, Claude Sonnet, etc.) for automated cryptographic migration. All models successfully performed simple hash replacements (e.g., SHA-1 to SHA-256). However, none produced correct PQC upgrades due to multi-file changes, missing imports, and lack of context awareness. These results underscore the need for structured guidance and system-aware tooling for post-quantum migration