Android support

[chriskilding]

Briefly document Android's native trust store...

---

Standard Android apps are written in JVM languages (like Java) and run on Android Runtime (ART).

By default, they integrate with the Android System Trust Store. You do not need to do anything extra to enable this.

However, simply putting a new certificate in the System Trust Store does not necessarily mean that apps will trust it.

There are different certificate sources within the System Trust Store (System certificates and User certificates), and Android apps treat them differently:

• System certificates: trusted by default
• User certificates: untrusted by default (since Android API Level 24) - must add <certificates src="user" /> to trust them

Android apps can enable or disable trust of various certificate types with the Network Security Configuration in their app manifest (res/xml/network_security_config.xml):

<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" /><!-- Trust System certificates -->
            <certificates src="user" /><!-- Trust User certificates -->
            <certificates src="@raw/my_ca"/><!-- Trust custom certificates shipped in the app bundle -->
        </trust-anchors>
    </base-config>
</network-security-config>

When an app uses certificate pinning, both System and User certificates are untrusted, and only the custom certificates (or fingerprints) specified in the app bundle are trusted.

So the answer to the question "will Android apps trust a given certificate" is "it depends".

Source: https://developer.android.com/training/articles/security-config

[chriskilding]

Mobile operating systems are quite different to desktop operating systems when it comes to handling certificates...

When we install e.g. a runtime or interpreter on a desktop OS, it's installed system-wide, and we will give it scripts or programs of our choosing to run. We expect this to integrate with our system truststore, and use certificates that we specify.

When we install an app on a phone, it exists in its own isolated world. Commercial apps take this idea the furthest, where the app may exist with an isolated Web service too. For example, the Twitter app will only communicate with twitter.com. As such it's reasonable for it to use certificates that the app developer specifies (via certificate pinning), or the mobile OS system truststore if pinning is not used.

You can install programming language interpreters (or runtimes) on phones with two approaches:

• The sandboxed way (e.g. with Termux / Pythonista / iLabbs Python IDE)
• The system-wide way (e.g. by rooting and installing the interpreter with curl or a package manager)

Within the constraints of app sandboxing, they will be able to access system APIs and resources. In both cases, we will give that interpreter scripts or programs of our choosing to run. Therefore, I believe we would expect them to mimic desktop behaviour and use the Android System Trust Store.

The remaining question is whether they should extend to using User Certificates from the System Trust Store. I don't have a view on this yet, but I believe the two approaches may diverge here.