Root certificates are at the heart of Public Key Infrastructure (PKI) and are signed by trusted certificate authorities or CAs. Browsers, applications, and other programs have a prepackaged root store that means these certificates are trusted. If you visit a site that supports HTTPS but does not use a certificate signed by a CA in your browser’s root store, the site will be marked as not secure. Typically, applications and browsers can update their certificates, but your phone can’t unless it’s via an OTA update. That can change with Android 14according to Esper.
There have been a few scares over the years with certificates, and that’s because of our reliance on them as the core of a chain of trust when visiting websites. Here on XDA, our certificate is signed by Let’s Encrypt, a non-profit CA. Their certificate is signed by the Internet Security Research Group and is the chain of trust that ensures your connection to this website is safe and secure. The same goes for any other website you visit that uses HTTPS.
Every operating system has its own built-in root store, and Android is no different. You can actually see this root store on your Android smartphone by navigating to security and privacy in your device settings. From there it will depend on the type of device you are using, but the screenshots below show where it is on OneUI 5.
The thing is, though, even this root store isn’t the last. Apps can choose to use and trust their own root store (which Firefox does), and they can only accept specific certificates (dubbed certificate pinning) in an effort to avoid Man-in-the-Middle (MITM) attacks. Users can install their own certificates, but app developers have had to opt-in for their apps to use these certificates ever since Android 7.
Why it’s important to have updatable root certificates
With Let’s Encrypt certificates that are cross-signed by the Internet Security Research Group, a lot of the Internet is dependent on ISRG’s security. If ISRG lost control of its private key (for example, it were to be stolen), then ISRG should revoke the key. Depending on how companies respond, it may be the case that some parts of the Internet would become inaccessible to devices that do not have updatable root certificates. While that’s a completely catastrophic nightmare scenario (and purely hypothetical), it’s exactly the kind of scenario that Google wants to avoid. That’s why what’s happening with TrustCor at the moment may signal to Google that it’s time to add updatable root certificates to Android.
For context, TrustCor is one such certificate authority that has come under scrutiny after researchers alleged it had close ties to a US military contractor. TrustCor has not lost its private key, but it have lost the trust of many companies that have to decide which certificates to include in their root stores. These researchers claimed that US military contractor TrustCor was close to paying developers to place data-harvesting malware in smartphone apps. In PKI, trust is everything, and TrustCor lost that trust when these allegations came to light. Since then, companies such as Google, Microsoft and Mozilla have dropped TrustCor as a certificate authority. However, removing TrustCor’s certificates from the Android root store will require an OTA update, and even though the commit has already been made in AOSP, it will probably be a long time before you or I actually have the update that drops TrustCor’s certificates from our devices.
The benefit is that you can disable TrustCor’s certificates on your device now by going to your certificates on your device as we showed above, then scrolling to TrustCor and disabling the three certificates that come with your device. According to developers from GrapheneOS project, there should be “very little impact on web compatibility, as this CA is barely used by anyone other than a specific dynamic DNS provider.”
The solution: Project Mainline
If you are familiar with Project Mainline, then you can already see how this can help solve the problem. Google makes use of Mainline modules, which are delivered through the Google Play Services framework and the Google Play Store. Each mainline module is delivered as either an APK file, an APEX file, or an APK-in-APEX. When a mainline module is updated, the user sees a “Google Play System Update” (GPSU) notification on their device. To efficiently deliver updates to critical components, Google has bypassed the need to wait for an OEM to roll out an update and has opted to do the job itself. Bluetooth and Ultra-wideband are two essential Mainline modules handled by Google.
According to to commit on AOSP Gerrit (spotted by Esper), Conscrypt, a Mainline module that provides Android’s TLS implementation, will support updatable root certificates in a future update. This would mean that certificates could be removed (or even added) via a Google Play system update through Project Mainline, ensuring a much faster process should another situation like TrustCor (or worse) arise in the future. It’s not clear when this will roll out, but it’s likely to come to Android 14. It’s technically possible that Google might push it with Android 13 QPR2, but that would only benefit Google Pixel users until Android 14 will reach everyone else next year anyway. This is because other OEMs typically do not roll out QPR updates.
The whole reason this exists would be so Google can maintain control over another crucial aspect of device security without having to rely on OEMs to push updates instead. An OTA is currently required to update certificates, but in an emergency every day that users don’t have an update can matter. Using Project Mainline to ensure that users can get important certificate updates on time if they are ever needed is certainly a welcome change.