Android 14 finally fixes this decade-old security hole

Tom Colvin
4 min readFeb 10, 2023

--

Photo by Olga Vilkha

Android has a security weakness that we’ve known about for years. Since, in fact, its very early versions. It’s taken until this year’s release — Android 14, which has just been released to developers — to build the architecture needed for a solution.

And development has no doubt been boosted by a recent but little-known (outside of security circles) near-disaster.

It all has to do with how your phone knows what’s trustworthy and what isn’t…

How trust works on the internet — a primer

When you go to, say, www.natwest.com, your browser will show a little padlock which indicates that it trusts the website. That means it’s seen proof that it really is the genuine natwest.com, rather than a clone that a hacker has misdirected you to.

How does it establish this trust? It asks for, and receives, a certificate from the website to indicate who it belongs to.

And why does it trust that certificate? Can’t that also just be duplicated by a hacker? The answer is that the certificate has been stamped (or signed in cryptographic terms) by an authority. The browser trusts the authority, so it trusts anything it signs.

Then, finally, how does the browser know to trust the signing authority? Because the signing authority’s certificate has itself been signed by another authority, which has been signed by another… all the way up to a so-called root authority.

There are about 75 such root authorities, and their certificates are installed pre-trusted on every operating system.

Android Settings screenshot
Android’s list of trusted root certificates

Regular updates are essential

It is obviously critical to the fabric of the internet that these certificates are regularly updated. If one gets compromised, the only recourse we have is to remove it from people’s devices.

This was underlined a couple of months ago by the breakdown in trust of TrustCor, who were accused of having an improperly close relationship with a US military contractor responsible for malware in mobile apps. Microsoft and Mozilla responded very quickly by removing TrustCor’s certificates from their trusted stores.

The TrustCor situation was a wake-up call. Whilst less than urgent (TrustCor wasn’t directly implicated in any malicious activity), it demonstrated that speed of updates to the trusted store really was essential to maintaining security.

And this is where Android has always had a problem.

Why Android ≤ 13 has a problem with this

Android OS upgrades are slow to roll out. As Android is an open-source operating system built independently of hardware manufacturers, it’s down to those manufacturers to adapt new releases to support their devices. Sometimes new versions of Android have new hardware requirements, which can completely break compatibility with older hardware. Either way it’s common for devices to get left behind after several years¹.

But the root certificates are part of the Android OS. So, if you’re not getting OS updates any more, then you’re not updating root certificates.

How Android 14 solves it

In Android 14, the root certificate store can now be updated from Google Play. So certificates can be updated as part of the nightly app updates that your phone performs whilst you’re asleep.

Root certificate changes, therefore, are now handled separately to OS version updates (what Android calls Over The Air [OTA] updates).

So finally, we have the architecture we need to solve this decade-old security flaw.

And in Android 14, TrustCor’s certificates are no longer there. This is new — my Android 13 phone with the latest updates still has them.

So there we go. That’s how trust on the internet nearly broke down, how Android nearly wasn’t able to deal with it, and how it’s all changed since then. Future disaster averted?

Tom Colvin is an Android and security specialist. He is available as a freelancer. He is the co-founder of the app development specialists Apptaura, where he builds and runs the development team.

[1] From a consumer perspective, Android’s answer to its slow update problem is excellent past version support at an app level. It doesn’t matter if your phone only supports Android 10 — you can still run all the latest apps. In fact, it’s common for apps to support Android versions 7 or 8 years back — potentially making a 9 or 10 year old phone perfectly usable.

--

--

Tom Colvin

Google Developer Expert in Android and CTO of Apptaura, the app development specialists. Available on consultancy basis. All articles 100% me, no AI.