Linux & Android > Security News, breaches and patches

Android 7.0 phones may have SSL Certiificate issues starting January 2021

<< < (2/3) > >>

ssfc72:
From the Android Police article.

"The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking."

Jason:

--- Quote from: ssfc72 on November 11, 2020, 03:15:24 am ---From the Android Police article.

"The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking."

--- End quote ---

I know what the article said. I acknowledged that possibility when I said:


--- Quote ---It shouldn't affect any other apps except if an app uses a built-in web browser that will rely on the OS.
--- End quote ---

From what I understand CA digital signatures (certificates) are used for the web. So I thought originally that it would only affect web applications but I read that it can also affect email. So I'll fix the quote above.

Note that Android develops don't typically create apps entirely from scratch, they use Android libraries to do specified tasks and then built interfaces and extra features on top of that. So any apps that use these libraries with the old certificates will be affected.

You can fix the issue with direct web browsing by just using Firefox. But if an app uses the Android library associated with web browsing then the app that uses it will generate a warning. Same with email.

A workaround for this is that when the warning pops up, you just go ahead and use the app anyway. It'd be like when you visit a website that doesn't have an SSL certificate. You can still skip past it. If you're just reading a website or don't care about someone spying on your password, it won't matter. But if you're using an email app, probably not a good idea.

Google may not want its own apps from not working (e.g. GMail and Chrome) so they may add the newer certificates but who knows? Webservers may be able to get SSL certificates that allow for the older protocol.

Jason:
In conclusion, I'm not saying that some apps might not work or lose some functionality. I'm saying that this is probably limited to the few apps that use the web or email. And even then you can skip past the warning, assuming the developer thought of this contingency. I doubt the apps would break entirely but we'll see.

Jason:
Oh sheesh, I just found this website. You can import the new certificate if your Android version is <7.0 unless the app developer chooses to not allow user certificates. The webpage tells you how to do it.


Update: I made a typo in a sentence above that changes the meaning of the sentence. I've corrected it by adding the bolded word above.

ssfc72:
Good to know! Thanks Jason.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version