Picture this: You unlock your (admittedly very old) phone one fine day to look something up on the internet, but you realize that most, if not all, websites just refuse to connect, throwing up security warnings instead. This very situation almost arose for phones running Android 7 or older in 2021, when a so-called root certificate expired. The problem could be averted thanks to a quirky way that Android handles such expired certificates, but Google is looking for a more permanent solution. It could be introduced in Android 14.

As Esper.io’s senior technical editor Mishaal Rahman spotted in the open source Android code, Google is working on a new mainline module that will make it possible to update root certificates on the fly. Right now, root certificates are updated as part of full system updates, which rarely make it to older devices that could run into the risk of getting into outdated root certificate territory.

Rather than being part of the system package itself, the new certification module can be updated via the Google Play Services. This allows Google to push updates as they are needed, making it possible to keep devices connected to all websites you can visit on the internet. It's similar to how many components of Android have been set up for a while, including Bluetooth.

This new approach is also good for another reason. Root certificates are primarily based on trust, and they are what make it possible for sites to establish secure connections in the first place. One of these root certificate authorities, TrustCor, was recently spotted having ties with a company that provides intelligence services with spyware. While no issues with TrustCor itself were found, companies are quickly moving away from the business for fears that something fishy could go on. After all, it would not be good if intelligence services could view all encrypted data exchanged between a server and a user. While Android is removing support for TrustCor’s certificate in full system security updates, it would be preferable if Google could turn the certificate off quicker than that.

The problem with outdated root certificates is particularly big on Android. Here, most apps and browsers rely on the built-in root certificates to verify secure connections, while on Windows and macOS a lot of applications have their own updateable root certificates bundled in. In fact, Chrome only recently introduced a root store of its own, which is the name for the place root certificates are saved to. On Android, a prominent example of an app that does rely on its own root store is Firefox. That means the browser would continue working on older Android phones no matter what, even if a system root certificate is expired. Thankfully, the next big root certificate is only due for expiration in 2035, so we don't have to expect an issue like the one with Android 7 in 2021 anytime soon.

For a deeper dive into the whole topic, definitely check out Mishaal Rahman’s post on Esper. He goes into depth about what root certificates are and what they are important for.