Google is dropping TrustCor's root certificates from Android as questions loom about the firm's ties to U.S. intelligence agencies. Separately, Google also prepares to make Android's root store updatable via Google Play.
Read more here: https://blog.esper.io/android-14-updatable-certificates/
Last month, WaPo shared a detailed report of some pretty sketchy things TrustCor Systems, a root CA whose certificate is trusted by many major OSes and web browsers, is involved with. Recommend reading this for context: https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/
Since that report was published, Microsoft and Mozilla announced they were dropping TrustCor's certificates. Google also announced they would do the same for the Chrome Root Store, which is used on Chrome for Windows and macOS.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4
"Android has a long-standing and well known issue with operating system updates," wrote @letsencrypt in a 2020 blog post. Remember this story? Let's Encrypt was worried outdated Android phones would see certificate warnings when DST Root X3 expired: https://letsencrypt.org/2020/11/06/own-two-feet.html
Fortunately, they found a solution that was seamless for end users: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Had Android always supported updatable root certificates like it might soon, then this never would've been a problem.
Update, July 10, 2023 See our new blog post for details on the September 2024 expiration of the newer ISRG Root X1 cross-sign from IdenTrust. Update, December 21, 2020 Thanks to community feedback and our wonderful partners at IdenTrust, we will be able to continue to offer service without interruption to people using older Android devices. We flagged the content of this blog post that is no longer accurate.
Mishaal Rahman
