Google wants to redesign Android’s certificate management

Google is working on one solution to prevent devices android very old are no longer able to surf the internet for expired certificate issues: Mishaal Rahman of exper noticed some maneuvering about it in the Android source code. Synthesized to the extreme, the idea is to also separate the certificates from the operating system, and make their update an operation that can be completed via the Play Store or Play Services.

The risk is real: Android 7-based devices ran it last year. A so-called root certificate was about to expire and if Google hadn’t intervened, the rest of the internet would have practically cut off the devices involved, refusing the connection for security reasons. Google managed to avoid trouble somewhat fortuitously with how these certificates are handled, but is studying a more robust and durable solution.

Google is dropping TrustCor’s root certificates from Android as questions loom about the firm’s ties to US intelligence agencies. Separately, Google also prepares to make Android’s root store updatable via Google Play.https://t.co/tRmQBeNTSL

Typ @techmeme

— Mishaal Rahman (@MishaalRahman) December 20, 2022

The certificate problem is particularly significant for the Android world: the operating system is designed to make all apps (web browsers included) use those that come pre-installed in the operating system. It’s not strictly mandatory, but few developers choose the alternative route. One of them is Mozilla for its Firefox browser (which in the above example would then continue to work normally).

The ability to change certificates without going through a system update also has another potential benefit: it allows you to solve any problems that have arisen with the companies that issue the certificates. If the certificates of one of these entities are revoked due to suspicion, lack of clarity or breached trust, there is a way to keep even the now obsolete devices for which the software support period by their respective manufacturers has already expired. Apparently it’s happening right now: Google has decided to withdraw its support for TrustCor certificates because it is suspected of having ties to American intelligence agencies.