Further CA Certificate Restrictions

In general, having custom certificate authority (CA) certificates in a device opens up security problems. CAs are used to verify SSL/TLS certificate chains, and a fraudulent CA certificate makes it possible for malicious parties to pretend to be Web sites and services that they are not. Google has been slowly tightening the screws on where these certificates can come from for years.

However, there are plenty of legitimate uses for them, including enterprises (who sometimes use custom certificate authorities to help secure their own internal Web sites) and debugging tools (HTTP Toolkit, Charles Proxy, etc.).

Android 11 adds a lightly-documented new restriction: apps cannot ask users to install a certificate via KeyChain.createInstallIntent(). Added back in Android 4.1, this method would build an Intent where you could supply a CA certificate via an Intent extra, and a startActivityForResult() call would ask the user if she wanted that certificate to be installed. For CA certificates, on Android 11 and higher, this no longer works.

Instead, users now need to do this manually:

And, of course, these instructions will vary by manufacturer, as manufacturers have a habit of changing how the Settings app looks and works.

See this blog post for more on the subject.


Prev Table of Contents Next

This book is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license.