We’ve come a long way since then, steadily retreating from openness & user control of devices, and shifting towards a far more locked-down vendor-controlled world.
The next step of Android’s evolution is Android 14 (API v34, codename Upside-Down Cake) and it takes more steps down that path. In this new release, the restrictions around certificate authority (CA) certificates become significantly tighter, and appear to make it impossible to modify the set of trusted certificates at all, even on fully rooted devices.
If you’re an Android developer, tester, reverse engineer, or anybody else interested in directly controlling who your device trusts, this is going to create some new challenges.
The walls are slowly but surely closing in on Android.
Thom Holwerda,
Yes, this is what many of us feared would happen living under the google/apple duopoly. Two choices was never enough to provide alternatives in case of power plays like this. Since apple, other dominant competitor, is already more restrictive, google doesn’t have to fear any real repercussions. As much as I hate it, we need acknowledge the fact that openness is slipping away on mobile.
I use lineage os, and I really hope these restrictions don’t effect us too. I am very determined to run open platforms whenever I can – even to the point of incurring massive inconvenience. Openness is near the top of my list. But this hasn’t been without consequence and unfortunately I find some applications I need for work and personal use simply will not run on my devices. And so I have to give up some apps like mobile banking. I’m growing wary that despite my personal choices, I am fighting a loosing war against these corporate giants. My resistance is mostly symbolic since no matter what I do they will continue to encroach at my expense meanwhile they won’t even feel a dent in their pocket books.
So is it worth putting energy into resisting dominant corporations or is it just futile in the end?
I try to follow the same philosophy but in the end I go a slightly different route. For most of my devices I run either OpenBSD, or Void Linux if the former is not fully supported on the hardware. I do have one Windows 10 machine just for playing modern games; I know especially these days I can get nearly equal performance on Linux via Proton and Wine, but it’s not quite there yet for the games I currently play so I stick with Windows. That machine stays powered off unless I’m actually playing a game or using it to transcode videos in Handbrake as it’s my most powerful computer.
Otherwise, I believe in “trust but verify”, so for things like online banking and other highly sensitive activities, I currently trust the OpenBSD devs the most both for their OS and for the OpenBSD port of Firefox, and WAY down the list from there is Apple. I absolutely do not trust Google or Microsoft anymore with my data, period. So for example, I will only access my bank account through my OpenBSD PC running Firefox, or else the official app from Apple’s app store on my iPhone. I won’t even access it on a PC that I built and physically control if it’s running Windows or ChromeOS Flex because I have zero trust in their creators.
Morgan,
If we’re talking computers, and especially x86 computers, there’s lots of viable options for FOSS users. Had my dice rolled differently I could have easily opted for OpenBSD while sticking to my core philosophy. Where my philosophy gets into trouble is with mobile devices and IOT devices where there isn’t sufficient choice and these choices that exist can involve significant compromise. The majority of consumer tech is proprietary and I’ve found that “voting with your feet/wallet” is disappointingly ineffective for me.
I’ve also found titles that don’t run on linux. IMHO unless you’re set on playing those specific titles, there are so many titles that do work that you can ultimately get your gaming fix on linux alone. My kids use linux exclusively and it hasn’t been an issue for us.
Shameful
Same for me with firefox, however I’m seeing more websites that don’t support it as it becomes more marginalized and then I’m forced to use chrome based browsers. Just this week I was looking up ingredients via grocery store website and the search feature was broken on FF. Facepalm.
Agreed, even this website has severe account security issues if you try to use FF to log in. I just had to go through the anti-robot procedure *again* to make this comment. Sadly ironic considering the scope of the site. I’m sure it’s more of a WordPress thing though since I deal with that at work (we have two sites, one a storefront, that use WordPress and I test heavily in FF whenever I make changes on the back end or even just regular updates). You’d think being a champion of Open Source that Automattic would be on top of any Firefox breaking issues with their flagship product.
It’s not always just Firefox either; I use FF at work almost exclusively, and one of my workstations is Linux based (the one I use for sysop and webdev since it’s easier and more familiar than Windows’ tooling). Sometimes I need to check a shipment on FedEx’s website and instead of switching over to my Windows workstation I just do it from the Void workstation, until the FedEx website returns a cryptic error that it couldn’t complete my request. When I do the exact same thing on Firefox on Windows it works fine. I’ve tested Chromium on Linux for that website and it also works fine, so it’s something specifically about Firefox on Linux that FedEx refuses to work with.
“In the meantime, if you want to debug your own HTTPS traffic, you’ll need to stick to Android 13.”
Not sure I understand what they mean by that. You can absolutely debug your own HTTPS traffic even if you can’t modify the trusted certs. Maybe they mean you can’t pretend to be Google or Amazon any more? If its your site you’re trying to debug, well you have the backend traffic you can look at. If its not your site, you can just record what your sending before sending it. Lots of other techniques. I think the big issue is not being able to be super anal about which ones you trust. Most cert stores trust so many roots from so many companies. I’ve know companies that want to limit the cert roots to just a smaller sub set. it sounds like that won’t be possible now. There are also a bunch of crazy people that do self signed certs ( don’t at me, you’re nuts for doing it just pay the fee to someone who does it well or use lets encrypt) .
Bill Shooter of Bul,
What they mean is that it can be useful to use a transparent proxy to analyze/debug HTTPS traffic on your own system. Squid can do this for example. You can setup your own CA and configure your browser and/or router to connect through squid. This lets you use your own encryption keys, which can be provided to tools like wireshark to provide a fully decrypted dump.
You wouldn’t care about this if you’re not an admin, but it’s also be useful for parental controls.
It’s really difficult to do this because it’s encrypted in the browser. Unless you compile your own browser, you wouldn’t really have access to the unencrypted data.
I agree. Policies like this should be under owner control, not google.
What is wrong with signing your own certs? I’d agree it’s above the technical capabilities of an average user, but if your in charge of IT infrastructure, self signed certificates are generally more secure than outsourcing it to 3rd parties where we implicitly trust thousands of individuals of all nationalities (not to mention probable government agents)..
Tester perspective: this change is awful.
Testing a mobile app rarely means testing interactions with a single backend. There’s likely 1+ APIs, 1+ web content providers, 1± analytics endpoints, 1+ 3rd party integrations.
Being able to read the entire content of the device’s interactions with the network is an important capability for determining correct operation, investing security quality aspects, and so much more.
Alternatives will be found, like local VPNs, it’s just a grind and a rather user-hostile move.
Same. They should at least put something in develop tools or options. Anything that allows testers/security personal to intercept traffic. Put up whatever big warning you want. Make me click 50 times to make sure I know what I’m doing. Put a banner on the main screen that says this device is insecure. I don’t care.
But don’t block this kind of stuff. It is absolutely needed for the holistic software development process.
Few people realize how the centralized management and eventual lock down and enforcement of Root CA’s on our devices will ultimately lead to censorship. This must be rejected by everyone, the price for “security” is too high on this one.
This is one good example where voting with your wallet does not work. Corporations do not care if they loose some users, when it does not affect the massive sheep of people.
Remember back when phones with non-user-replaceable batteries were unacceptable, it was considered anti-consumer and bad for the environment? Well look where we are now. Apple made this hip on their iPhones and they have only been growing since then. When a trillion dollar corporation does crap like this and gets away with it, other corporations follow suit.
The Android platform is turning into a locked down shithole, one paper cut at a time. Device unlock is next on Google’s radar. There are manufacturers offering devices with no unlock capability or making it extremely unreliable/difficult to unlock the device boot loader. People fawn over how cool Apple is and Google has been taking notes. So it will be a matter of time they’ll do more and more of these kind of stuff.
The root certificate was used as a method to deploy an on device proxy that could intercept ads on https system-wide on an Android phone. Previously you could do this by just installing the root certificate into the user cert store and all apps would recognize it as a valid cert. Note that when you do this, you would receive a warning that this would impact security. Now this option is gone and you would have to import the root certificate into the system cert store. On rooted devices, this would not be a problem. With this new move, however, it would be impossible. Google is trying their best to remove functionality to prevent ad blocking, which has been an ongoing battle on all of their services. So it is not about becoming like Apple as some might think, it is about tightening the noose around user freedoms on their platforms and extracting as much as possible from them.
People talk about ‘small’ governments, but this is what ineffective regulation does for us. The regulation of device chargers and charging ports are in the right direction. I’ll be interested to see how opening up app stores would work next, hope that would put a wrinkle on restricting system root certificates. But I wont hold my breath.