The Root certificates are the core of the public key infrastructure (PKI) and must be signed by a trusted certificate authority (CA) to take effect. Both applications and browsers can update the root certificate, but Android phones can only be updated through OTA upgrades at present. That might change in the upcoming Android 14.
Each operating system has its own root certificate built in, and Android is no exception. You can view root certificates on your Android phone by navigating to the “Security & Privacy” option in the Settings app.
But the problem is that this root storage is not a panacea. Applications can choose to use and trust their own root store (which Firefox does), and they can only accept specific certificates (known as certificate pinning) to avoid man-in-the-middle (MITM) attacks. Since Android 7, users can also install their own certificates, and developers can choose to allow their apps to use these certificates.
Conscrypt, a Mainline module providing a TLS implementation for Android, will support renewable root certificates in a future update, according to a new proposal on AOSP Gerrit. This means that certificates can be removed (or even added) via Project Mainline’s Google Play system update, ensuring faster processing in the future if other situations (such as TrustCor) occur.
After introducing this feature, Google can update the root certificate in time to make the device more secure without relying on the OEM manufacturer to push the update.
