Android Nougat may contain traces of NOT for users of custom CAs

Google's new cert policy should make it harder to chew through its mobile OS


Google will sweeten the forthcoming Nougat release of Android by changing the way apps work with certificate authorities (CAs) and simplifying APIs.

The changes will affect only some apps and users, Android security team software engineer Chad Brubaker says .

The changes mean Google will not automatically trust user-selected CAs. Instead, all Android devices running Nougat and later versions of Android will run a standard set of Google-trusted AOSP certificate authorities, forcing some developers to change their apps if non-trusted certificate authorities are needed.

"Previously, the set of preinstalled CAs bundled with the system could vary from device to device," Brubaker says.

"This could lead to compatibility issues when some devices did not include certificate authorities that apps needed for connections as well as potential security issues if certificate authorities that did not meet our security requirements were included on some devices."

Developers can request that a certificate authority be included.

Trusted certificate authorities will be easier on Nougat thanks to the network security configuration tool that allows trust to be specified across an entire app or just for particular domains.

Google has also improved APIs used to customise trusted certificate authorities after developers borked the current mechanisms thanks to Java TLS APIs.

Nougat will have a new way for apps to interact with user and admin certificate authorities under which apps targeting API level 24 will not honour such certificate authorities unless apps opt in.

Brubaker says this is a safer default setting that will reduce application attack surfaces and encourage consistent handling of network and file-based application data. ®

Similar topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022