What is the Android Trusted Credentials Store?

Similar to Windows and macOS, Android devices need a system in place in order to determine if a certificate issued by a particular Certificate Authority (CA) is trusted. How does a device decide that a certificate is trusted?

When a device is made, it is configured with trusted “root” certificates that are stored in individual files. These files are stored on the device in what is called the trusted root certificate store.

Did you know that 98% of mobile malware targets Android devices?

With this in mind, it’s especially important for Android users to have a strong defense against cybercriminals.

SecureW2’s JoinNow package can install trusted CA certificates to Android devices with ease and efficiency. JoinNow works natively with the supplicants installed in all versions of Android, in all device types, and from all manufacturers. Check out what one of our customers struggling with Android device onboarding said here.

In Android devices, there is an option giving you the ability to install an enrolled certificate to the Trusted Store. But what exactly is the Trusted Store, and is it safe to manually add to it?


What is a Certificate Authority?

Certificate authorities are entities that issue secure certificates that verify the identity of web servers, individuals’ devices, RADIUS servers, etc. When you access a web server over a secure connection (such as HTTPS) the identity of the server needs to be verified. This is done by your device checking that the website you are attempting to access has an active certificate that has been signed by a trustworthy CA.

For example, if you wanted to check your savings account, you could go to www.bankofamerica.com. A CA would issue a certificate that assures that they have checked that the certificate holder is the actual owner of the domain “www.bankofamerica.com.” You can safely do your banking knowing your information is only being sent to the correct source.


The Purpose of Trusted Certificates

Most devices and browsers come with a predefined set of trusted certificate authorities. When you encounter a certificate that has been signed by a certificate authority on the list, your device will trust that certificate.

If your device encounters a certificate signed by an untrusted CA, you will most likely be alerted with a warning. This warning means that the site’s identity could not be properly verified by a trusted authority, and therefore you should proceed with caution.

In cases where a certificate authority is later found to be untrustworthy or its systems have been broken into, you may remove it from this list.


When Should I Modify This List?

Normally, there should never be a reason to modify the list yourself. If a trusted certificate authority is ever revealed to be compromised, news tends to spread fast. Consider the fact that these CAs are the cornerstone of trust that the internet relies on for authentication; if a CA is no longer trustworthy, it is a big deal.

In 2011, a CA named DigiNotar was compromised and hundreds of phony certificates were issued for Google and other domains. The Google certificate was subsequently used by unknown persons in Iran to conduct a man-in-the-middle attack against Google services.

DigiNotar avoided informing anyone of the incident for more than a month and was unable to produce a complete list of fraudulent certificates. When Mozilla, WordPress, Yahoo, and other corporations found out, they blacklisted the company and DigiNotar was bankrupt within weeks.


What Is The User Certificates Section?

The user tab in your Android contains a list of trusted certificate authorities that you have installed on your device.

The most common use case for this feature is in a private network environment. In this situation, the user needs to make a secure connection to a corporate or university server and needs to verify its authenticity with a certificate signed by an internal server.

The network may direct you to manually install them as a trusted certificate authority, or make it easy for you by using a 3rd party to install the application.


The Solution For Onboarding Android To WPA2 Networks

We can help eliminate the common challenges of WPA2-Enterprise and 802.1X network onboarding and allow you to easily leverage the security features of certificates and RADIUS server validation.

If you want to make security a priority without compromising efficiency, check out our pricing page to see if our solutions can help secure your network.


Key Takeaways:
  • Most devices and browsers come with a predefined set of trusted certificate authorities.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Eytan Raphaely

What is the Android Trusted Credentials Store?