Root of the matter: Exploring Android 14’s Updatable Root Certificates

Lizzie Warren

Jan 25, 2023

11 min read

We use the internet to browse all things under and above the sky, but have you ever wondered how secure we’re when connected to a server? Haven’t had this thought before, right? No problem! We’ve got you covered😌. This is where the trust anchors come into play. Yes, you guessed it right! It’s all about the root certificates. They check the integrity of a website’s security certificates and ensure that the data is encrypted while in transit. In this blog, we’ll dive into the world of root certificates and explore how they work and why they’re essential for our Android devices, including the details of Android updatable root certificates. So, buckle up to learn about the unsung heroes of internet security!

Digging down to the roots: An introduction to root certificates 📜

Root certificates establish trust for SSL (Secure Sockets Layer) or TLS (Transport Layer Security) connections. The operating system includes them in its certificate store and uses them to confirm the validity of SSL/TLS certificates presented by servers. The operating system’s certificate store is a container for digital certificates. It verifies the identity of a computer or user and secures communications. These certificates establish trust and secure communications, such as by establishing a secure website connection using HTTPS.

This operating system’s certificate store on macOS is known as the “Keychain”. It is a central location for storing private keys, digital certificates, and other sensitive data. Similar to how a physical keychain organizes and makes keys accessible, the macOS Keychain accomplishes the same for digital keys and certificates, hence the name “Keychain.”

Creating a secure connection to a website via HTTPS is one example of how the Keychain builds trust. This ensures conversations are private. The “Keychain Access” application, which you can find in the “Applications/Utilities” folder, can be used to examine the Keychain. You may inspect the various keychains (such as login and system) and the certificates kept within them after launching the application. The Keychain Access application can also manage the certificates, including adding or removing certificates and changing a certificate’s trust settings.

When we connect to a server over SSL/TLS, the server’s certificate is checked against the list of trusted root certificates in the operating system. If the certificate is not signed by a trusted root certificate, the connection will not be established.

Since more than a billion websites are operating on the internet, it is nearly difficult to have an entire list of trusted security certificates. So, to verify a site’s security certificate, the operating systems and web browsers use chains of trust.

A Web of trust: How the chain of certificates protects you

Consider the trust chain as a game of telephone. Each link in the chain whispers a secret message to the one after it, and by the time the message reaches the end, it has been confirmed and validated as accurate.

Similarly, a certificate in a chain of trust will pass along the chain and gets verified as genuine when it reaches the end user (browser or operating system). The chain of trust in terms of website security begins with a website’s security certificate, which is similar to the original message. The trusted certificate authority (CA), which serves as the first link in the chain, issues this certificate. The CA then verifies whether the website’s identity is genuine and whether the certificate belongs to that particular website.

The browser or operating system, the following link in the chain, checks to see if a reputable CA issued the certificate. The browser or operating system will create a secure connection with the website and display the padlock icon🔒 to signify a secure connection if the certificate works as advertised. However, the browser or operating system will not create a secure connection with the website if any link in the chain is hacked, rendering the message (or certificate) fake. So, in a nutshell, the chain of trust is a system that ensures the website you are visiting is who they say they are and that any communication you have with them is safe.

Additional info 📖

TrustCor Systems, a significant certificate authority (CA), has drawn attention in this domain because of its connections to a business that offers information services for malware. However, the latest news states that Microsoft, Mozilla, and Google products will no longer use TrustCor Systems as a root certificate authority.

Even the Chrome browser for desktops will no longer accept certificates generated by TrustCor Systems from version 111. A similar change is coming to Android. However, it will take some time before the certificate modifications appear because, unlike Chrome for desktops, you can’t update Android’s root certificate store independently of the OS.

Know your grounds: The backstory of root certificates 🏝

Let’s first paint the background a bit to get the whole picture. Android is no different from other operating systems in having its built-in root store. When apps attempt to establish a secure connection, by default, they first validate certificates by connecting to Android’s system root store. This Android system root store is a container for digital certificates that use to verify the identity of an app or software on an Android device. Moreover, the read-only system partition has the built-in root store for Android at /system/etc/security/cacerts.

Apps weren’t needed to use Transport Layer Security (TLS) for all Internet connections before Android 9. This allowed apps to connect to webpages in cleartext (HTTP) without encryption. Therefore, users become exposed to various threats, including eavesdropping and tampering. With Android 9, Google made such a change so that apps had to actively choose to enable cleartext traffic (HTTP) for particular sites. As a result, modern apps now conduct certificate verification through the system root store. This also uses TLS for all Internet connections.

How to manually install CA certificates on Android?

From Android 7, users can manually install CA certificates using the settings on Android. You can also check them on your Android phone. For this, navigate the Settings app and search for credential storage >> Install Certificates >> CA certificates. This step may vary depending on the Android phone we’re using. Remember that even if your data is in encrypt form, the certificate owner can access your data through the websites and apps you use if you manually install the CA certificate.
These installed certificates are then saved to the user certificate store rather than the system-wide certificate store. We can look at these certificate stores in a later session. Although user certificate store certificates are not by default trusted, apps can choose to trust them. As a result, many apps rely on the operating system by default to check certificates.

Credential storage
Options available under credential storage

Install certificate
Options under install a certificate

android updatable root certificates_Warning message
Warning message before installing

What happens when a user certificate expires?

If these certificates expire or are unreliable, apps and users will experience issues trusting intermediate CAs and websites whose certificates were signed by a root CA. This will ruin numerous services as many web browsers and apps can no longer create safe connections with specific websites.

When such a problem arises, the sole solution is to update Android’s built-in root store. You can do this using the firmware over-the-air (OTA) update option. To check this, go to the Settings app on your phone. Select System >> Software update >> Check for updates. The device will download and install the update if an update is available. It’s crucial to remember that root store updates may occur independently and that not all firmware updates contain root store updates.

This OTA update is useful as the device manufacturer can only upgrade the root certificates on Android devices via these system upgrades. As a result, the device can stop receiving system upgrades as it ages. When that happens, a root certificate on the device can expire, prohibiting it from loading websites.

This technique could be better because it is challenging to distribute an essential firmware update to every device that needs it. Nevertheless, Google has been developing a solution in Android 14 for this issue using the well-known mechanism of Project Mainline.

Android Project Mainline: Everything you need to know

Further reading on user certificate store and system-wide certificate store 📖

The user certificate store is specific to a single user account on the device. Therefore, no other users or apps running with various user profiles can access certificates in the user certificate store except for the particular user.

On the other hand, the system-wide certificate store has certificates available to all users and applications on the device. Any application running on the device can use certificates in the system-wide certificate store. This is applicable regardless of the user profile or the app’s permissions.

Generally, certificates in the system-wide store are more reliable than those in the user store. This is because the device manufacturer or carrier typically install them and design them to be used by all apps on the device.

Additionally, installing a certificate in the system-wide store usually provide more restriction. It requires more privileges as it can affect the overall device security. In contrast, installing a certificate in the user store usually provides less restriction and can do it themselves.

Rooted in security: A closer look at Android 14 updatable root certificates 🔐

So far, it’s clear that when a user accesses a website, the website uses root certificates to create a secure connection with the user’s device. However, when these root certificates meet their validity period, the website cannot connect securely to the device. Moreover, this will deny the access.

That won’t be the case when using Android 14. Users can change root certificates on their devices independently from system updates via Google Play Services. Thus, users can still obtain the most recent root certificates. They can maintain an Internet connection even if their smartphone becomes outdated and no longer receives Android updates. All device manufacturers will require the feature because Google is considering making it a standard module.

Google will be able to provide the updates as and when necessary. It is with the help of root certificate modules introduced through Google Play Services. This will prevent older devices from entirely losing their trust in the system. The Android 13 QPR (Quarterly Platform Release) update excludes other OEMs because it is exclusive to Pixel smartphones, which may be where Google plans to include this feature. Therefore, Android 14 will most likely make it widely accessible. Keep in mind that nothing is set in stone yet, as Google officially has to announce this matter. So, let’s stay tuned and see what unfolds! 😉

Featured resource

Hexnode Android Management Solution

Get started with Hexnode’s Android Management solution to improve efficiency, increase productivity, save time and overhead costs of managing your corporate devices.

Download the datasheet

Watering your roots with the magic of Hexnode UEM 🌧

Watering plants is like providing them with the life-sustaining nectar they need to grow and flourish. You might wonder how a UEM solution like Hexnode matters in this situation. The Android management solution of Hexnode UEM is a comprehensive answer to all business needs of an IT admin.

Hexnode UEM is the life-sustaining nectar that keeps the enterprise’s digital ecosystem thriving in today’s threat-laden landscape. It helps the IT admins in device enrollments, configurations, deployments, network policies, remote management and many more.

It also offers two primary management modes with Android Enterprise. They are: Device owner (Fully managed device) and Profile owner mode (Work profile). The organization will have full authority over the device in device owner mode. Under the profile owner mode, users can store the personal apps and data separately from their work apps and data.  The user’s personal space will stay private, and the organization won’t have any authority over the user’s personal information.

Why wait? Start reaping the benefits of Hexnode UEM and unlock the Android management capabilities you never knew you could have!

Finishing it up 🌱

Root certificates may not be the most glamorous topic, but they are crucial in securing our online communications. As discussed, these digital trust anchors help verify websites’ authenticity and establish secure connections when browsing the web or using apps. So, next time you visit a website or use an app, take a moment to think about the trust anchors working behind the scenes to verify the authenticity of the connection.

If you’re an Android user, take a moment to discover these trust anchors on your phone by visiting Settings > Security > Trusted credentials. When it comes to root certificates, always trust the trusted. Together, we can ensure a safer internet for all!

Lizzie Warren

A lil clumsy and a whole lot smiley, I'll bump into you with a smile...

Share your thoughts