Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Security

Android is Adding Support for Updatable Root Certificates Amid TrustCor Scare (esper.io) 19

Esper: The world's biggest tech companies have lost confidence in one of the Internet's behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products. Starting in Chrome version 111 for desktops, the browser will no longer trust certificates issued by TrustCor Systems. The same change is coming to Android, but unlike Chrome for desktops, Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out. Thankfully, that may no longer be the case in Android 14, as Google is preparing to implement updatable root certificates in the next release.
This discussion has been archived. No new comments can be posted.

Android is Adding Support for Updatable Root Certificates Amid TrustCor Scare

Comments Filter:
  • by gillbates ( 106458 ) on Tuesday December 20, 2022 @03:16PM (#63145742) Homepage Journal

    Prediction: the next exploit will be enabled by upgrading the certificates so that signed malware will load...

  • Kind of... (Score:4, Informative)

    by msauve ( 701917 ) on Tuesday December 20, 2022 @03:51PM (#63145834)
    > Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out.

    But, at least on the current Android 13, you _can_ view the trusted credentials and _disable_ them individually, as you wish. So you can immediately disable the TrustCor root certs, no OS update needed.
    • Re:Kind of... (Score:5, Informative)

      by Kernel Kurtz ( 182424 ) on Tuesday December 20, 2022 @04:16PM (#63145886)

      But, at least on the current Android 13, you _can_ view the trusted credentials and _disable_ them individually, as you wish. So you can immediately disable the TrustCor root certs, no OS update needed.

      Settings>Security and privacy>Other security settings>View security certificates> Scroll to Trustcor certs ECA-1, CA-1, and CA-2. Slide to off. Done.

      • by Nahor ( 41537 )

        Settings>Security and privacy>Other security settings>View security certificates>

        What phone? It's different on stock Android 13 (Pixel 7):

        Settings > Security > More security settings > Encryption & credentials > Trusted credentials > System tab (should be the default selection already)
        (then scroll to Trustcor and disables the 3 certificates as you mentioned)

        Faster alternatively: go to Settings then search for "trusted" and select the "Trusted credentials" options.

        • What phone? It's different on stock Android 13 (Pixel 7)

          Interesting. Galaxy Note 20 Ultra. Also stock Android 13...but perhaps Samsung's One UI does it differently.

          Searching for "trusted" gives no results found.

          • by Nahor ( 41537 )

            Interesting. Galaxy Note 20 Ultra. Also stock Android 13...but perhaps Samsung's One UI does it differently.

            Samsung does not provide phones with stock Android, so unless you modded it, you're using the Samsung version of Android, not stock (i.e. "plain Google"). The fact that you have "One UI" is another indicated that it's not stock.

            Searching for "trusted" gives no results found.

            It's the name of the last level of settings for my phone, so in your case, it should be "view" or "certi"

            • Fair enough. I have not modded it, so it is the "stock" Samsung Android 13.

              Pixels don't use stock (as in AOSP) Android either. They also have a Google exclusive UI that is not part of the generic Android OS.
    • by AmiMoJo ( 196126 )

      I think Chrome can ignore certain certificates too. Google used it for certs they wanted to block on Windows, where the system certificate store is used.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...