[mhils]

This is true for the app store top 10, but from what I've seen not much out of that. In practical terms, the bigger problem is Android 8, which does not trust user-added CAs for app traffic (https://github.com/mitmproxy/mitmproxy/issues/2054#issuecomm...). It's a really odd move by Google against privacy researchers.

[nnd]

Weird, so much for a "hacker-friendly" operating system.

I wonder if you can bypass this behavior by rooting the device?

[tarnacious_]

If you have root access, you can [1]. You can also build your own apps to trust the "user" certificates [2].

[1]: https://blog.jeroenhd.nl/article/android-7-nougat-and-certif...

[2]: https://android-developers.googleblog.com/2016/07/changes-to...