To protect users from malicious certificate authorities, Android 14 makes root certificates updatable via Google Play

News Summary:

  • When you log in every day, you can be sure that the software on your device is properly configured to take you to the right server that hosts the websites you want to visit. Making the right connection is important so you don’t end up on a server owned by someone with bad intentions, but making that connection secure is also important so that any data you send to that server are all encrypted in transit (TLS) and hopefully `not susceptible to snooping. However, your operating system, web browser, and applications will only establish secure connections to servers on the Internet (HTTPS) if they trust the server’s security certificate (TLS).

  • Android has a small glitch that only pops up once per blue moon, but when it does, it causes some panic. Fortunately, Google has a fix in Android 14 to address this issue in the first place. The problem is that the Android system’s root certificate store can only be updated via over-the-air (OTA) update for most of Android’s lifetime. While OEMs and carriers have gotten better at releasing updates faster and more often, things can still get better. That’s why Google designed a solution that makes Android’s root store updateable through Google Play, starting with Android 14.

However, because there are so many websites on the Internet, operating systems, web browsers, and applications do not keep a list of the security certificates of each site that they trust. Instead, they want to know who signed the security certificate issued to the site: is it self-signed or is it signed by another entity (Certificate Authority [CA]) that they trust? This validation chain can continue in multiple layers until you reach the root CA that issued the security certificate used to sign the certificate that eventually signed the certificate issued for the website you are visiting.

Sometimes the root certificate is about to expire, which can cause websites and services to go down and web browsers to send warnings about unsafe connections. In some cases, the CA that issued the root certificate is suspected of being malicious or compromised. Or a new root certificate comes in and must be added to the root store of every major operating system before the CA can actually start signing the certificate.

The number of root CAs is much less than the number of websites that issue security certificates, either directly or through one or more intermediate CAs, allowing the operating system and web browser to maintain a list of root CA certificates. whom they trust. For example, Android has a list of trusted root certificates contained in the OS’s read-only system partition at /system/etc/security/cacerts. If applications do not restrict which certificates are trusted, a method known as certificate pinning, they will default to using the operating system’s root store to decide whether to trust security certificates or not. Since the “system” partition is read-only, the Android root store is immutable outside of OS updates, which can be a problem when Google wants to remove or add a new root certificate.