Android 7.1 and certificate authorities: unfortunately, I was being too pessimistic
I wrote a piece about Android 7 and its certificate authority system. Now that Android 7.1 has been released, most of the problems I predicted turn out to be nothing.
If you read my previous blog post (you probably haven't), you know that I have been very pessimistic about the certificate authority system introduced in Android 7.
I was expecting many apps to break in some environments I work with. It turns out, this was not the case. This is actually a problem!
You see, if an application uses sensible security defaults, it will not send important data over connections that aren't signed with the certificate belonging to the API server. So in case of corporate TLS-intercepting proxies, most apps should break. It seems however, that many apps still work. Why is that?
Well, apps don't use sensible security settings! Even though certificate pinning is just a single line of code, nobody seems to use it. Only a few apps, like Twitter and Facebook, use certificate pinning. And those apps had it built in before Android 7 was even announced!
So why is this a problem? This is a problem because it makes connections easy to intercept. There are a lot of shady VPN applications. Understanding how certificate authorities work is hard. Combine these two facts and you have users installing random certificates because their VPN app, which allows them to view the American Netflix library, asked them to do it.
So this is a message to all of you Android developers out there: implement certificate pinning! It's not hard and it protects your users from leaking their data by accident. It will also make reverse engineering your application harder, so you have a (very) little bit to gain too!
Written by Jeroen on February 16, 2017