Google Updates CA Trust Mechanisms in Android Nougat

Google last week announced changes in the way it will handle trusted Certificate Authorities in Nougat, the latest version of the Android operating system.

Google last week announced changes in the way it will handle trusted Certificate Authorities in Nougat, the latest version of the Android operating system. The changes are expected to cut into the likelihood of a successful man-in-the-middle attack, or a device falling victim to an attacker-supplied custom certificate.

This also takes a bit of pressure off mobile app developers who may inadvertently introduce trouble by turning off TLS certificate verification, for example. Chad Brubaker of the Android Security Team said Google has always allowed developers to customize which CAs are trusted by apps, but mistakes happen and Google believes that complex Java TLS APIs are to blame, thus the update to simplify how developers can customize trust.

Google has also implemented another change in which apps at API Level 24 will no longer honor user- and admin-supplied CAs unless the developer opts-in.

“This safe-by-default setting reduces application attack surface and encourages consistent handling of network- and file-based application data,” Brubaker wrote.

The final noteworthy change allows developers to specify how apps trust CAs, for example, trusting only connections to certain domains as needed.

Adam Goodman, Principal Security Architect at Duo Security, said that narrowing down the criteria apps use to trust server certificates is certificate pinning, but Google’s APIs in the past were error prone and simple mistakes could impact app security greatly.

“It is very encouraging that Google is taking steps to address this,” Goodman said. “However, the bigger issue is that many app developers may still turn off TLS certificate verification entirely, meaning that their apps simply will trust any server, including that of an evildoer performing a man-in-the-middle attack.

“This type of mistake is often made during app development – e.g. if developers don’t have access to a proper trusted certificate – so again, that Google is providing mechanisms for different trust configuration between debug and release app versions might help a bit,” Goodman said. “That said, the strategy Apple has taken with App Transport Security (where they’ve stated that, by the end of 2016, they will reject all apps that don’t meet certain baseline criteria in their use of TLS, particularly for HTTPS) seems quite a bit more robust.”

Man-in-the-middle attacks put attackers in position to sniff traffic and steal credentials, personal information or data that’s meant to stay secure, such as banking credentials. Cutting down on the trust given to custom user-supplied certificates is a key strategy to keep attackers off devices and data secure, said Andrew Blaich, Security Researcher at Lookout.

“This is a common approach that attackers and security researchers use to see what type of network traffic an app is sending and receiving. They basically install their own root CA certificate that allows the connection to continue and appear trusted by any apps that are trusting the system trust store,” Blaich said.

“This means all traffic can be intercepted and viewed/manipulated by the owner of the root CA, which means any sensitive data like usernames, passwords, confidential documents are readable by the server presenting the certificate to the device,” Blaich explained. “Many organizations will also install their own certificate on a device when you enroll in the company’s device management solution. This means any traffic you send over the corporate VPN could be intercepted and decrypted. Attackers will also attempt to install root CAs via malicious device profiles and phishing links.”

Blaich said it’s rare to find apps that do certificate pinning properly, if at all, and applauds Google’s changes to make this process simpler for developers.

“The changes in Android Nougat regarding protecting data in transit are a huge step forward for the industry that has mostly just accepted that these attacks are trivially pulled off,” he said. “Most developers will have more comfort in knowing their traffic by default is protected with apps that are developed for Android Nougat and beyond.”

Suggested articles