| Android 7 lacked the Let's Encrypt root certificate, and could only use the Let's Encrypt protected sites because their original root CA was cross signed by another CA. The cross signed CA certificate expired, so that solution stopped working. This meant that every app that connects to sites with LE certificates ran into HTTPS validation issues. For browsers and other apps that opt into the user certificate store, the solution was simple: download the new Let's Encrypt CA and import it into the user store. However, the system store, which all apps default to, couldn't be altered, because they were part of the ROM. That meant that every app that chose not to opt into the user-provided certificate store broke on Android 7 once the cross sign certificate authority certificate expired. Many app developers don't know about these stores (or, let's be honest, about the details of HTTPS) and other apps explicitly chose not to opt in. Before the expiration of LE, the user store was used almost exclusively for MitM attacks; some by nation states like Kazakhstan, some by people reverse engineering apps, others by stalkerware. There are apps that have to work with MitM interception for certain businesses (for example, because of regulations regarding secrets) but those will usually be aware of the issue and provide an opt-in if they want to keep that customer. That's why Google opted to make the user store opt-in in the first place. This broke the workflow of people like me, who run their own internal CA, against better judgement, for stuff like home lab servers. So, in short: a security measure combined with manufacturers dropping support for their phones after ridiculously short amounts of time meant that Android 7 users couldn't access tons of apps and websites. |