Badly configured root certificates on an Android device can lead to device hacks, broken apps, and non-functioning services. It's necessary to be able to securely install root certificates on Android and also to update them so that apps continue to work and your device remains secure.
In this guide, we'll define what Android trusted root certificates are, how to install root certificates on Android, and how to update them.
To enable secure network communications, devices need a way to encrypt those communications. For a client device to establish that it's communicating with a trusted server, it inspects the server's security certificate.
The server's certificate contains:
A server (or domain) receives its certificate from a Certificate Authority (CA)—an organization entrusted to validate the identity of entities that it issues certificates to. That CA is either a root Certificate Authority (top of the chain) or an intermediary. Every intermediary has a certificate signed by a CA above it. The top CA is the root authority.
Client devices lack the ability to establish the truthfulness of the details contained in a certificate. For example, anyone can create a fraudulent certificate saying that it owns the domain google.com. That's why devices must trust CAs, whose job it is to verify this information.
A device contains a highly secure store of Root Certificates. These certificates come pre-bundled in devices and have been verified to originate from valid Root Certificate Authorities.
For example, below is a screenshot of the Root CAs managed by the Chromium Project:
Image: Root Certificate Authorities | Source: Chrome Root Store / Screenshot
When a device receives a copy of the server's certificate, it checks that the certificate was issued by a valid CA, then checks that the next certificate above was also issued by a valid CA until it hits the root authority certificate. If the Root Certificate was issued by a CA that the device has in its Root Store, the device then trusts the certificate.
Important: On Android, installing a root certificate means that any certificate issued by that entity will be automatically trusted by the Android device.
Because of this reason, AOSP has traditionally made it somewhat difficult to install root certificates on Android manually.
What are root certificates on Android?
A root certificate on Android is a certificate that has been fully trusted by the device. Any certificates signed by an entity that matches a certificate in the Android root store are automatically trusted.
Android's root certificates exist in the read-only partition /system/etc/security/cacerts.
Viewing the installed root certificates on Android depends on the Android version you're using. Generally, the procedure is as follows:
This will show you a list of installed root certificates on Android for your specific device.
Image: List of installed root certificates on Android | Source: Android Phone / Screenshot
Installing a root certificate on Android that doesn't originate from a CA can open the door to malware. But sometimes you need to install root CA certificates on Android for testing purposes.
The steps to install a root certificate on Android depend on the version of Android you're using.
After downloading the certificate you want to install, navigate to "Encryption and Credentials," then click on "Install a certificate."
Click "CA Certificate." Google shows the following ominous warning:
Image: Warning when installing root certificates on Android | Source: Android Phone / Screenshot
Click "Install anyway," navigate to where you saved the certificate, and select it.
To install a root certificate on Android this way puts it into the User certificate store instead of the System certificate store. To install root certificates into the System store, you need to root your device.
Before Android 14, it was impossible to update root certificates on Android without using an Over-the-Air software update. This poses a risk for users because they need to wait for an OEM to push an update before updating any root certificates that might be expiring.
It's rare that a CA loses its esteemed position of trust, but it can happen, such as when TrustCor was found to have corporate ties to several spyware companies. In such a case, it's necessary to update trusted root certificates on Android.
As of Android 14, it's possible to update trusted root certificates on Android via Google Play, but this still doesn't answer how users can update root certificates themselves. Usually the only way to update certificates is by rooting the device.
The other problem from an enterprise perspective is that companies often use custom Android ROMs to build their products or power their IoT devices. These Custom ROMs almost always lack Google Mobile Services, so they don't have the Google Play Store available, although they do tend to have root access. When taking care of bigger fleets of devices, the manual effort to update all the certificates is tremendous.
Updating these certificates remotely would be ideal but is not available due to the missing GMS Certification.
It's not possible to delete system root certificates, but you can disable them in Settings -> Encryption and Credentials -> CA Certificates. Just toggle the On/Off switch to Off for Android to stop trusting that CA certificate.
Emteria.OS provides a simple way to install, update, or delete root certificates remotely.
For devices running emteria.OS, an enterprise-ready version of Android, fleet managers can update root certificates using emteria's Device Hub. The Device Hub is a browser-based Android device manager that lets you remotely update IoT devices and also to fully manage root certificates.
Installing root certificates on Android through the emteria Device Hub means that you don't need to send personnel out to manually update devices. Fleet managers can update devices using simple commands through the browser-based Device Hub interface.
Contact us today to learn more about how emteria enables enterprises to easily manage remote devices. ⬇️