Google is dropping TrustCor’s root certificates from Android as questions loom about the firm’s ties to U.S. intelligence agencies. Separately, Google also prepares to make Android’s root store updatable via Google Play.
Last month, the Washington Post a detailed report of some pretty sketchy things TrustCor Systems, a root CA whose certificate is trusted by many major OSes and web browsers, is involved with. Recommend reading this for context.
Since that report was published, Microsoft and Mozilla announced they were dropping TrustCor’s certificates. Google also announced they would do the same for the Chrome Root Store, which is used on Chrome for Windows and macOS.
Google plans to drop TrustCor’s certs from Android as well, which hasn’t been reported yet but isn’t surprising. The problem is that Android’s root store can only be updated via OTA update. Fortunately, Google is making Android’s root store updatable through Play System Updates!
“Android has a long-standing and well-known issue with operating system updates,” wrote @letsencrypt in a 2020 blog post. Remember this story? Let’s Encrypt was worried outdated Android phones would see certificate warnings when DST Root X3 expired.
Fortunately, Let’s Encrypt found a solution that was seamless for end users. Had Android always supported updatable root certificates as it will soon, then this never would’ve been a problem.
For a breakdown of how updatable certificates will work in Android, what the heck these certificates are in the first place, what the deal was with Let’s Encrypt, and what’s happening with TrustCor.