News Report: Android 14 to Change Certificate Update Method
| Developers | http Toolkit |
|---|---|
| Source | httptoolkit.com |
Developers at http Toolkit, the open tools for inspecting https traffic, have drawn attention to a change in the method of updating certificates of certificates (CA) in the future release of the Android 14 platform. Certificates will no longer be tied to the firmware but will be delivered by a separate package updated through Google Play.
On the one hand, this approach simplifies the maintenance of relevant CA certificates and removes certificates of compromised certification centers. It also prevents manufacturers from manipulating the list of root certificates and makes the process of updating them independent of the firmware update. On the other hand, the new delivery method does not allow users to make changes to system certificates, even if they have Root access on the device.
In Android 14, instead of being loaded from the /catalog/system/etc/secrets/cacerts directory, certificates are now loaded from the /apex/com.android.conscrypt/cacerts directory. This directory is located in a separate container called Apex (Android Pony Express), and its contents are delivered through Google Play. The integrity of the certificates is controlled by the digital signature of Google. As a result, even if the user has complete control over the Root system, they will not be able to change the contents of the list of system certificates. This new storage scheme for certificates may pose difficulties for developers involved in reverse engineering, traffic inspecting, or researching firmware. It may also potentially complicate the development of projects that aim to create alternative firmware based on Android, such as Grapheneos and LineAgeos.
It is important to note that this change only applies to system CA-cert