Root certs are now mainline modules and may be updatable without system updates
Imagine: One fine day, you unlock your (admittedly very old) phone and look something up on the Internet, but most if not all websites refuse to connect. and noticed it was showing a security warning instead. This situation almost happened to phones running Android 7 and below when the so-called root certificate expired in 2021. This issue may be circumvented thanks to Android’s quirky way of handling such expired certificates, but Google is looking for a more permanent solution. It may be introduced in Android 14.
As Mishaal Rahman, Senior Technical Editor at Esper.io, noted in the open source Android code, Google is working on a new mainline module that will allow us to update root certificates on-the-fly. Root certificates are currently updated as part of a system-wide update, but they are rarely updated for older devices which could put them at risk of entering the realm of outdated root certificates.
New authentication modules can be updated via Google Play Services instead of being part of the system package itself. This allows Google to push updates as needed and keeps your device connected to all the websites you can access on the internet. This is similar to how many components of Android, including Bluetooth, have been set up for some time.
This new approach is also great for another reason. Root certificates are primarily trust-based and allow sites to establish secure connections in the first place. One of these root certification authorities, TrustCor, was recently discovered to be associated with a company that provides spyware intelligence services. No issues were found with TrustCor itself, but companies are rapidly moving out of business, fearing something fishy might happen. It would be bad if all encrypted data could be viewed. Android is removing support for TrustCor certificates in a full system security update, but it would be nice if Google could turn them off sooner.
The issue of stale root certificates is especially big on Android. Here, most apps and browsers rely on built-in root certificates to verify secure connections, but Windows and macOS bundle many applications with their own renewable root certificates. In fact, Chrome recently introduced its own root store. , is the name of the location where the root certificate is stored. On Android, Firefox is a prominent example of an app that relies on its own root store. This means that the browser will continue to work on older Android phones even if the system root certificate has expired. Thankfully, the next big root cert expires in 2035, so he doesn’t expect to see problems like what happened with Android 7 in 2021 anytime soon.
For a deeper dive into the entire topic, be sure to check out Mishaal Rahman’s post on Esper. He goes deep into what root certificates are and what they are important for.