Google Online Security Blog: Changes to Trusted Certificate Authorities in Android Nougat

Security Blog

The latest news and insights from Google on security and safety on the Internet

Changes to Trusted Certificate Authorities in Android Nougat

July 8, 2016

Posted by Chad Brubaker, Android Security team[Cross-posted from the Android Developers Blog]

Safe and easy APIs to trust custom CAs.

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

All devices running Android Nougat offer the same standardized set of system CAs—no device-specific customizations.

Safe and easy APIsimproved the APIs User-added CAs Customizing trusted CAsthe full documentation Trusting custom CAs for debugging<network-security-config> <debug-overrides> <trust-anchors>  <certificates src="user" /> </trust-anchors> </domain-config> </network-security-config> Trusting custom CAs for a domain<network-security-config> <domain-config> <domain includeSubdomains="true">internal.example.com</domain> <trust-anchors>  <certificates src="@raw/cas" /> </trust-anchors> </domain-config> </network-security-config> Trusting user-added CAs for some domains<network-security-config> <domain-config> <domain includeSubdomains="true">userCaDomain.com</domain> <domain includeSubdomains="true">otherUserCaDomain.com</domain> <trust-anchors>  <certificates src="system" />  <certificates src="user" /> </trust-anchors> </domain-config> </network-security-config> Trusting user-added CAs for all domains except some<network-security-config> <base-config> <trust-anchors>  <certificates src="system" />  <certificates src="user" /> </trust-anchors> </base-config> <domain-config> <domain includeSubdomains="true">sensitive.example.com</domain> <trust-anchors>  <certificates src="system" /> <trust-anchors> </domain-config> </network-security-config> Trusting user-added CAs for all secure connections<network-security-config> <base-config> <trust-anchors>  <certificates src="system" />  <certificates src="user" /> </trust-anchors> </base-config> </network-security-config> Standardized set of system-trusted CAsAOSP What if I have a CA I believe should be included on Android?onlyCustomizing trusted CAsMozilla CA Inclusion Processfeature request