A root certificate is the core of a Public Key Infrastructure (PKI) and is signed by a trusted Certificate Authority (CA). Browsers, applications, and other programs have prepackaged root stores that indicate that these certificates can be trusted. If you visit a website that supports HTTPS but does not use a certificate signed by a CA in your browser’s root store, the website will be flagged as insecure. Applications and browsers can usually renew certificates, but mobile phones cannot unless they use OTA updates from her. According to Android 14, that may change. Psychics.
Over the last few years there have been some fears related to certificates. This is because we rely on certificates as the core of our chain of trust when visiting websites.here XDA, our certificates are signed by Let’s Encrypt, a non-commercial CA. Their certificate is signed by the Internet Security Research Group and is a chain of trust that ensures your connection to this website is safe and secure. The same is true for other websites accessed using HTTPS.
Every operating system has its own built-in root store, and Android is no exception. You can actually view this root store on your Android phone by going to Security & Privacy in your device settings. From there, it depends on what kind of device you’re using, but the screenshot below shows where it’s located in OneUI 5.
The problem, however, is that even this root store is not final. Apps can choose to use and trust their own root store (Firefox does), and can only accept certain certificates to avoid man-in-the-middle (MITM) attacks (Certificate called pinning). Users can install their own certificates, but app developers have had to opt-in since his Android 7 to allow apps to use those certificates.
Why is it important to have a renewable root certificate?
Because Let’s Encrypt certificates are cross-signed by the Internet Security Research Group, many The security of the Internet depends on the security of ISRG. If the ISRG loses control of the private key (for example, it is stolen), the ISRG should revoke the key. Depending on the company’s response, devices without a renewable root certificate may not be able to access parts of the Internet. It’s a completely catastrophic nightmare scenario (and purely hypothetical), but it’s exactly the kind of scenario Google wants to avoid. So what’s happening right now with TrustCor could signal to Google that it’s time to add renewable root certificates to Android.
For context, TrustCor is one such certificate authority that came under scrutiny after researchers claimed it had close ties to U.S. military contractors. have I’ve lost faith in many companies who have to decide which certificates to include in their root store. These researchers claimed that a U.S. military contractor close to TrustCor paid developers to place data-collecting malware in smartphone apps. In PKI, trust is everything, and TrustCor lost that trust when these allegations came to light. Since then, companies such as Google, Microsoft, and Mozilla have retired TrustCor as a certificate authority. However, removing TrustCor’s certificate from the Android root store requires an OTA update. A commit has already been made in AOSP, but it could be a long time before the actual update to remove TrustCor’s certificate from the device.
The advantage is that you can revoke a device’s TrustCor’s certificates by going to the device’s certificates, scrolling down to TrustCor, and revoking the three certificates that came with the device as above. According to the GrapheneOS project developers, “there should be little impact on web compatibility as this CA is rarely used outside of a specific dynamic DNS provider”.
Solution: Project Mainline
If you’re familiar with Project Mainline, you already know how this can help you solve your problem. Google utilizes mainline modules provided through the Google Play Services Framework and the Google Play Store. Each mainline module is delivered either as an APK file, APEX file, or APK-in-APEX. When the mainline module is updated, a “Google Play System Update” (GPSU) notification will appear on the user’s device. Effectively, in order to deliver updates to critical components, Google chose not to wait for his OEM to roll out updates, but to do the task itself. Bluetooth and ultra-wideband are two important mainline modules that Google deals with.
According to the AOSP Gerrit commit (discovered by) Psychics), Conscrypt, the mainline module that provides Android’s TLS implementation, will support renewable root certificates in a future update. This means that certificates can be removed (or added) via Google Play system updates via Project Mainline, and much quicker if another situation like TrustCor (or more) arises in the future. ensure a smooth process. It’s not clear when this will roll out, but it’s likely coming to Android 14. Google could technically push with Android 13 QPR2, but it would only benefit Google Pixel users until Android 14 reaches everyone else. next year. This is usually because other his OEMs don’t roll out his QPR updates.
The whole reason this exists is so that Google can continue to control another important aspect of device security without having to rely on OEMs pushing updates in return. Now he needs an OTA to renew the certificate, but in an emergency situation every day the user doesn’t renew can be a problem. Leveraging Project Mainline to help users get critical certificate updates in a timely manner when needed is certainly a welcome change.
sauce: Psychics