Android Nougat may contain traces of NOT for users of custom CAs

Google will sweeten the forthcoming Nougat release of Android by changing the way apps work with certificate authorities (CAs) and simplifying APIs.

The changes will affect only some apps and users, Android security team software engineer Chad Brubaker says .

The changes mean Google will not automatically trust user-selected CAs. Instead, all Android devices running Nougat and later versions of Android will run a standard set of Google-trusted AOSP certificate authorities, forcing some developers to change their apps if non-trusted certificate authorities are needed.

"Previously, the set of preinstalled CAs bundled with the system could vary from device to device," Brubaker says.

"This could lead to compatibility issues when some devices did not include certificate authorities that apps needed for connections as well as potential security issues if certificate authorities that did not meet our security requirements were included on some devices."

Developers can request that a certificate authority be included.

Trusted certificate authorities will be easier on Nougat thanks to the network security configuration tool that allows trust to be specified across an entire app or just for particular domains.

Google has also improved APIs used to customise trusted certificate authorities after developers borked the current mechanisms thanks to Java TLS APIs.

Nougat will have a new way for apps to interact with user and admin certificate authorities under which apps targeting API level 24 will not honour such certificate authorities unless apps opt in.

Brubaker says this is a safer default setting that will reduce application attack surfaces and encourage consistent handling of network and file-based application data. ®