[ZeWaren]

I have a private PKI I use to connect to my self-hosted software: email server, calendar provider, notes server, photo sync tool, etc.

I NEED to be able to add my root cert to the list of certified authorities.

I don't need to change anything to the system provided list. I just need to add mine. It's my device, I'd like to be able to change anything if I want to.

[agwa]

You can install your own CA certificate in the user certificate store, and it will be trusted by Chrome and any other app which opts into user-installed CAs, which should include email and calendar apps.

What is unlikely to work is installing your own CA and using it to intercept traffic between apps and the app-makers' servers. That sucks - you should be able to inspect what your own device is doing - but your use case of using a private PKI for your self-hosted software is definitely supported.

[Brian_K_White]

You should also have the final say in what is NOT trusted. Not merely adding a cert to trust.

[tssva]

You can disable individual system certificates in the "Trusted credentials" settings panel.

[charcircuit]

>That sucks

It's insecure. If you are a bank app you doesn't want other people to be able to steal the users password by installing a new certificate.

[mardifoufs]

How often does this happen on phones? Why do banks still allow desktop usage then?

[charcircuit]

It doesn't matter how often it happens. It's a vulnerability that people will end up being exploited or the data will end up being stolen by another hacker.

Not all banks allow desktop usage. Some banks restrict certain functionality from the web interface since it is less secure.

[feanaro]

It absolutely matters how often it happens. Otherwise we should start imprisoning everyone in the hopes of getting that one serial killer by the same principle. Some cures are worse than the disease.

[zb3]

This is not the same scenario as the user installing a new certificate themselves.

[charcircuit]

Someone's company can install a certificate onto employee's work phones.

[Brian_K_White]

Tough shit. If you are a lot of things you want or don't want a lot of things. It doesn't mean they have a right to the thing they want or don't want.

[gh02t]

Same for me, but don't a lot of corporate IT policies deploy root certificates to devices too? You'd think there has to be a way to do it.

[jeroenhd]

User certificates still work fine. Apps have to opt into the user CA store (many of them don't) but any app deployed by IT should be fine. Chrome works, Firefox can be made to work, and I believe the Gmail app also works with user CA certificates.

[gh02t]

Thanks for the clarification, I was pretty confused by the article on this detail myself. Per app opt seems like a reasonable compromise for my use as long as the browser recognizes my CA, as that's the one I care about.

[jeroenhd]

The biggest issue is that the developer needs to opt in, the user can't decide "my email client should trust this certificate".

[8organicbits]

One alternative is to use public CAs on your private networks. I've been working on tooling for this at getlocalcert [1]. Side stepping the need to add a trust root makes the public on private approach a net win for some networks. I honestly wasn't expecting Android to block private CAs, but I guess here we are.

[1] https://www.getlocalcert.net/

[Hackbraten]

That looks super convenient! However, some reverse engineering tasks would still require root CA certificates, for example observing app traffic.

[severino]

I was also confused about that. I don't use an Android phone currently, but I remember you could add your own CA certificates to an Android phone -without being root, just using some option under settings- and at least applications like the web browser would trust them. And I'm not talking about long ago. So I couldn't understand if the need of rooting your device to install custom certificates was for something different.

[jeroenhd]

On Android 7, Google changed the defaults for certificates. Previously, apps trusted system certificates and user certificates unless they opted out. On Android 7, apps have to opt into trusting then user certificate store.

Browsers opt in, or in the case of Firefox, can be configured through hidden settings to opt in. Many other apps don't, though.

If you're trying to intercept traffic or use apps that should opt in but don't, the system store could be altered with root access so that these apps still trusted the certificates you're trying to inject. However, most apps worth their salt implement certificate pinning, so that's hardly reliable anymore. It's Arnold workaround that works on some apps but not on most.

Furthermore, Google Chrome and derivatives require certificates to be logged publicly so malicious CAs can't mess with random domains. Your private CA isn't logged in the public record, so adding the certificate to the system store actually breaks HTTPS for many browsers. You can add the cert to both stores to make it work, but it's kind of a hack.

On iOS loading certificates is easier, but you'll still need to work around certificate pinning if you want to intercept HTTPS traffic.

[severino]

Thanks for your explanation! What I remember is from an Android version more recent than 7, probably 10, but maybe the browser was Firefox so in that case there was no need to have your device rooted.