Android is Adding Support for Updatable Root Certificates Amid TrustCor Scare

Esper: The world's biggest tech companies have lost confidence in one of the Internet's behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products. Starting in Chrome version 111 for desktops, the browser will no longer trust certificates issued by TrustCor Systems. The same change is coming to Android, but unlike Chrome for desktops, Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out. Thankfully, that may no longer be the case in Android 14, as Google is preparing to implement updatable root certificates in the next release.

And the next exploit will be...

[gillbates]

Prediction: the next exploit will be enabled by upgrading the certificates so that signed malware will load...

Re:

[thegarbz]

AFAIK Android doesn't have a concept of signed or unsigned apps. It relies on the PlayStore to handle distribution, so there's no need to sign individual pieces of software.

Re:

[Z00L00K]

But there can be other applications that depends on it.

Now I'm just waiting for something to happen that will basically force Google to backport that fix to earlier versions of Android or push an update of Android to all devices out there. A horrible task since there's no hardware standard.

Re:

[codebase7]

Actually, those Apps haven't trusted user-installed CA certs by default since Android 7. [android.com] To actually trust a user installed CA, the application must explicitly ask Android to include those certs. (This has caused headaches for corporate users.)

With Android 11, the situation was made worse as apps were stripped of the ability to install a CA cert into the untrusted CA store at all. [google.com] Instead mandating manual intervention by the user to do so. This has it's own issue on google's bug tracker for obvious reason [google.com]

Re:And the next exploit will be...

[TheRealMindChild]

It absolutely does: https://developer.android.com/... [android.com]

Android requires that all APKs be digitally signed with a certificate before they are installed on a device or updated. When releasing using Android App Bundles, you need to sign your app bundle with an upload key before uploading it to the Play Console, and Play App Signing takes care of the rest. For apps distributing using APKs on the Play Store (created before August 2021) or on other stores, you must manually sign your APKs for upload.

Re:

[thegarbz]

Ahhh, great thanks for the clarification. I dabbled in writing apps years ago and couldn't remember ever signing anything. Maybe this is something more recent. I did a google search and couldn't find any thing older than 3 years.

Do you know when this was introduced? Or maybe it was always a thing and the IDE I was using somehow automated the process in the background ... but again this was in the Android 3-4 days.

Re:

[AmiMoJo]

Seems unlikely. If that attack vector was feasible it would have been abused long ago to create impossible to remove malware.

Re: And the next exploit will be...

[SleepingEye]

Scanning for malware that could take advantage of this is pretty simple, even without updating the OS. As long as you download from the play store, they could easily make sure Company A's certificate is blocked from any other developer

Kind of...

[msauve]

> Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out.

But, at least on the current Android 13, you _can_ view the trusted credentials and _disable_ them individually, as you wish. So you can immediately disable the TrustCor root certs, no OS update needed.

Re:Kind of...

[Kernel Kurtz]

But, at least on the current Android 13, you _can_ view the trusted credentials and _disable_ them individually, as you wish. So you can immediately disable the TrustCor root certs, no OS update needed.

Settings>Security and privacy>Other security settings>View security certificates> Scroll to Trustcor certs ECA-1, CA-1, and CA-2. Slide to off. Done.

Re:

[Nahor]

Settings>Security and privacy>Other security settings>View security certificates>

What phone? It's different on stock Android 13 (Pixel 7):

Settings > Security > More security settings > Encryption & credentials > Trusted credentials > System tab (should be the default selection already)
(then scroll to Trustcor and disables the 3 certificates as you mentioned)

Faster alternatively: go to Settings then search for "trusted" and select the "Trusted credentials" options.

Re:

[Kernel Kurtz]

What phone? It's different on stock Android 13 (Pixel 7)

Interesting. Galaxy Note 20 Ultra. Also stock Android 13...but perhaps Samsung's One UI does it differently.

Searching for "trusted" gives no results found.

Re:

[Nahor]

Interesting. Galaxy Note 20 Ultra. Also stock Android 13...but perhaps Samsung's One UI does it differently.

Samsung does not provide phones with stock Android, so unless you modded it, you're using the Samsung version of Android, not stock (i.e. "plain Google"). The fact that you have "One UI" is another indicated that it's not stock.

Searching for "trusted" gives no results found.

It's the name of the last level of settings for my phone, so in your case, it should be "view" or "certi"

Re:

[Kernel Kurtz]

Fair enough. I have not modded it, so it is the "stock" Samsung Android 13.

Pixels don't use stock (as in AOSP) Android either. They also have a Google exclusive UI that is not part of the generic Android OS.

Re:

[AmiMoJo]

I think Chrome can ignore certain certificates too. Google used it for certs they wanted to block on Windows, where the system certificate store is used.