Android 14 upside down cake

Android 14 may come with updatable root certificates

Spread the love

Root certificates are the core of the public key infrastructure (PKI) and are signed by trusted certificate authorities or CAs. Browsers, applications and other programs have a pre-packaged root store which means these certificates are trusted. If you visit a website that supports HTTPS but does not use a CA-signed certificate in your browser’s root store, the website will be marked as not secure. Usually apps and browsers can update their certificates, but your phone can’t unless through an OTA update. That may change with Android 14, according to wait.


There have been a couple of scares over the years involving certificates, and that stems from our reliance on them as the core of a chain of trust when visiting websites. Whom XDA, our certificate is signed by Let’s Encrypt, a non-profit CA. Your certificate is signed by the Internet Security Research Group, and it is this chain of trust that ensures that your connection to this website is secure. The same goes for any other website you visit that uses HTTPS.

Every operating system has its own built-in root store and Android is no different. In fact, you can view this root store on your Android smartphone by navigating to security and privacy in your device’s settings. From there it will depend on the type of device you’re using, but the screenshots below show where you are in OneUI 5.

The thing is, though, that even this root store isn’t the be all and end all. Apps can choose to use and trust their own root store (which is what Firefox does), and can accept only specific certificates (called fixed certificates) in an effort to prevent Man-in-the-Middle (MITM) attacks. . Users can install their own certificates, but app developers have had to choose to allow their apps to use these certificates since Android 7.


Why it is important to have updatable root certificates

With Let’s Encrypt certificates signed by the Internet Security Research Group, a batch of the Internet depends on the security of the ISRG. If ISRG lost control of your private key (in case of theft, for example), ISRG would have to revoke the key. Depending on how companies respond, parts of the Internet may become inaccessible to devices that do not have updatable root certificates. While that’s a completely catastrophic (and purely hypothetical) nightmare scenario, it’s exactly the kind of scenario Google wants to avoid. That’s why what’s happening with TrustCor currently could signal to Google that it’s time to add updatable root certificates to Android.

For context, TrustCor is one such certificate authority that has come under scrutiny after investigators alleged it had close ties to a US military contractor. TrustCor has not lost its private key, but has it lost the confidence of many companies that need to decide which certificates to include in their root stores. Those researchers alleged that US military contractor TrustCor had paid developers to place data-harvesting malware in smartphone apps. In PKI, trust is everything, and TrustCor lost that trust once those allegations came to light. Since then, companies like Google, Microsoft, and Mozilla have removed TrustCor as a certificate authority. However, removing the TrustCor certificates from the Android root store will require an OTA update, and although the confirmation has already been made in AOSP, it will likely be a long time until you or I have the update that removes the certificates. of TrustCor from our devices.

Drop-TrustCor Certificates

The benefit is that you can now disable TrustCor certificates on your device by going to your certificates on your device, as we showed above, and then scrolling down to TrustCor and disabling the three certificates that came with your device. According to the developers of the GrapheneOS project, there should be “very little impact on web compatibility because this CA is hardly used by anyone other than a specific dynamic DNS provider.”

The Solution: Project Mainline

If you’re familiar with Project Mainline, then you can already see how this can help resolve the issue. Google uses the Mainline modules that are delivered through the framework of Google Play Services and the Google Play Store. Each Mainline module is delivered as an APK file, an APEX file, or an APK in APEX. When a Mainline module is updated, the user sees a “Google Play System Update” (GPSU) notification on their device. Indeed, in order to deliver critical component updates, Google has avoided the need to wait for an OEM to deploy an update, choosing to do the task itself. Bluetooth and Ultra-wideband are two essential Mainline modules handled by Google.

According to the commits in AOSP Gerrit (seen by wait), Conscrypt, a Mainline module that provides Android’s TLS implementation, will support updatable root certificates in a future update. This would mean that the certificates could be removed (or even added) via a Google Play system update via Project Mainline, ensuring a much faster process should another situation such as TrustCor (or worse) occur in the future. It’s unclear when this will roll out, but it’s likely that it will hit Android 14. It’s technically possible that Google might want to push it with Android 13 QPR2, but it would only benefit Google Pixel users until Android 14 hits everyone else anyway. next year. This is because other OEMs generally do not implement QPR updates.

The entire reason for this would be so that Google can maintain control over another crucial aspect of device security without having to rely on OEMs to push updates. An OTA is currently required to update certificates, but in an emergency situation every day that users don’t have an update could be important. Using Project Mainline to ensure that users can get critical certificate updates in time if they ever need them is certainly a welcome change.


Fountain: wait

#Android #updatable #root #certificates

Leave a Comment

Your email address will not be published. Required fields are marked *