Android 14 Prevents Users from Modifying System Certificates, Even with Root Access
Developers of HTTP Toolkit, an open-source tool for inspecting HTTPS traffic, have highlighted a significant change in how certificate authority (CA) certificates are updated in the upcoming Android 14 release. System certificates will no longer be tied to the device firmware; instead, they will be delivered as a separate package, updated through Google Play.
This new approach will make it easier to keep certificates up to date and to remove certificates from compromised certificate authorities. It will also prevent device manufacturers from manipulating the list of root certificates and make the update process independent from firmware updates. However, this method will also stop users from modifying system certificates, even if they have root access and full control over the firmware.
Previously, certificates were stored in the /system/etc/security/cacerts directory. In Android 14, they are loaded from /apex/com.android.conscrypt/cacerts, which is located in a separate APEX (Android Pony EXpress) container. The contents of this container are delivered via Google Play, and their integrity is verified with Googleβs digital signature. As a result, even with full root access, users cannot change the list of system certificates without modifying the platform itself.
This new certificate storage scheme may create challenges for developers involved in reverse engineering, traffic inspection, or firmware research. It could also complicate the development of alternative Android-based firmware projects, such as GrapheneOS and LineageOS.
What Does This Change Affect?
- The change only applies to system CA certificates, which are used by default in all apps on the device.
- User certificates and the ability to add extra certificates for individual apps (such as browsers) are not affected.
Itβs important to note that this issue is not limited to the certificate package. As more system functionality is moved into separately updated APEX packages, the number of system components that users cannot control or modify will increase, regardless of whether they have root access to the device.