Root certificates are the core of Public Key Infrastructure (PKI) and are signed by trusted Certificate Authorities or CAs. Browsers, applications and other programs have a pre-packaged root store that indicates that these certificates are trustworthy. If you visit a website that supports HTTPS but does not use a certificate signed by a CA in your browser’s root store, the website will be marked as not secure. Typically, applications and browsers can update their certificates, but your phone cannot, unless via an OTA update. That can change with Android 14according to Esper.
There have been a number of fears over the years regarding certificates, and it’s because we rely on them as the core of a chain of trust when we visit websites. Continue here XDA, our certificate is signed by Let’s Encrypt, a not-for-profit CA. Their certificate is signed by the Internet Security Research Group and it is that chain of trust that ensures that your connection to this website is secure. The same goes for any other website you visit that uses HTTPS.
Every operating system has its own built-in root store and Android is no different. You can actually view this root storage on your Android smartphone by going to security and privacy in your device’s settings. From there it depends on the type of device you are using, but the screenshots below show where it is on OneUI 5.
However, the point is that even this root store is not everything. Apps can choose to use and trust their own root store (which Firefox does), and can only accept specific certificates (dubbed certificate pinning) to prevent Man-in-the-Middle (MITM) attacks. Users can install their own certificates, but app developers have been required to sign in since Android 7 for their apps to use these certificates.
Why having updatable root certificates is important
With Let’s Encrypt certificates cross-signed by the Internet Security Research Group, a lot of the Internet depends on the security of the ISRG. If ISRG were to lose control of its private key (in case of theft, for example), the ISRG would have to revoke the key. Depending on how companies respond, some parts of the Internet may become inaccessible to devices that do not have updatable root certificates. While that’s a completely catastrophic nightmare scenario (and purely hypothetical), it’s exactly the kind of scenario Google wants to avoid. That’s why what’s happening with TrustCor right now could be a signal to Google that it’s time to add updatable root certificates to Android.
For context, TrustCor is one such certificate authority that came under scrutiny after investigators claimed it had close ties to a US military contractor. TrustCor has not lost its private key, but it has lost the trust of many companies who have to decide which certificates to include in their root stores. Those researchers claimed that US military contractor TrustCor had a close relationship with paid developers to place data-gathering malware in smartphone apps. At PKI, trust is everything, and TrustCor lost that trust when those allegations came to light. Since then, companies like Google, Microsoft, and Mozilla have dropped TrustCor as a certificate authority. However, removing TrustCor’s certificates from the Android root store requires an OTA update, and while the commit has already been made in AOSP, it will likely be a long time before you or I get the update that removes TrustCor’s certificates from our devices.
The upside is that you can now disable TrustCor’s certificates on your device by going to your certificates on your device, as we showed above, then scrolling down to TrustCor and disabling the three certificates that come with your device delivered. According to developers of the GrapheneOS project, there should be “very little impact on web compatibility because this CA is hardly ever used by anyone other than a specific dynamic DNS provider.”
The solution: Project Mainline
If you’re familiar with Project Mainline, you can already see how it can help solve the problem. Google uses Mainline modules delivered through the Google Play Services framework and the Google Play Store. Each Mainline module comes as an APK file, an APEX file, or an APK-in-APEX. When a Mainline module is updated, the user sees a “Google Play System Update” (GPSU) notification on their device. In order to deliver updates to critical components, Google has essentially bypassed the need to wait for an OEM to roll out an update, by choosing to do the task itself. Bluetooth and Ultra Wideband are two essential Mainline modules managed by Google.
According to commits on the AOSP Gerrit (spotted by Esper), Conscrypt, a Mainline module that provides Android’s TLS implementation, will support updatable root certificates in a future update. This would mean that certificates could be removed (or even added) via a Google Play system update via Project Mainline, ensuring a much faster process should another situation like TrustCor (or worse) arise in the future. It’s not clear when this will roll out, but it’s likely it will come to Android 14. It’s technically possible that Google wants to push it with Android 13 QPR2, but it would only benefit Google Pixel users until Android 14 hits everyone next year anyway. This is because other OEMs typically do not roll out QPR updates.
The whole reason for this would be to allow Google to maintain control over another critical aspect of device security without having to instead rely on OEMs pushing updates. An OTA is currently required to update certificates, but in an emergency situation, any day users don’t have an update could matter. Using Project Mainline to ensure users can get critical certificate updates on time if they are ever needed is certainly a welcome change.