{
	"id": "f7ec4313-d59f-45ad-9a14-12c20bfd10c4",
	"created_at": "2026-04-06T00:21:39.165339Z",
	"updated_at": "2026-04-10T03:24:29.377787Z",
	"deleted_at": null,
	"sha1_hash": "34f8e95c5235fd0dfc5bea340c8483f3050f341f",
	"title": "Changes to Trusted Certificate Authorities in Android Nougat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58026,
	"plain_text": "Changes to Trusted Certificate Authorities in Android Nougat\r\nArchived: 2026-04-05 21:57:09 UTC\r\nPosted by Chad Brubaker, Android Security team\r\nIn Android Nougat, we’ve changed how Android handles trusted certificate authorities (CAs) to provide safer\r\ndefaults for secure app traffic. Most apps and users should not be affected by these changes or need to take any\r\naction. The changes include:\r\nSafe and easy APIs to trust custom CAs.\r\nApps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections,\r\nby default.\r\nAll devices running Android Nougat offer the same standardized set of system CAs—no device-specific\r\ncustomizations.\r\nFor more details on these changes and what to do if you’re affected by them, read on.\r\nSafe and easy APIs\r\nApps have always been able customize which certificate authorities they trust. However, we saw apps making\r\nmistakes due to the complexities of the Java TLS APIs. To address this we improved the APIs for customizing\r\ntrust.\r\nUser-added CAs\r\nProtection of all application data is a key goal of the Android application sandbox. Android Nougat changes how\r\napplications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design\r\n—not honor such CAs unless the app explicitly opts in. This safe-by-default setting reduces application attack\r\nsurface and encourages consistent handling of network and file-based application data.\r\nCustomizing trusted CAs\r\nCustomizing the CAs your app trusts on Android Nougat is easy using the Network Security Config. Trust can be\r\nspecified across the whole app or only for connections to certain domains, as needed. Below are some examples\r\nfor trusting a custom or user-added CA, in addition to the system CAs. For more examples and details, see the full\r\ndocumentation.\r\nTrusting custom CAs for debugging\r\nTo allow your app to trust custom CAs only for local debugging, include something like this in your Network\r\nSecurity Config. The CAs will only be trusted while your app is marked as debuggable.\r\nhttps://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html\r\nPage 1 of 4\n\nTrusting custom CAs for a domain\nTo allow your app to trust custom CAs for a specific domain, include something like this in your Network\nSecurity Config.\ninternal.example.com Trusting user-added CAs for some domains\nTo allow your app to trust user-added CAs for multiple domains, include something like this in your Network\nSecurity Config.\nuserCaDomain.comotherUserCaDomain.com Trusting user-added CAs for all domains except some\nhttps://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html\nPage 2 of 4\n\nTo allow your app to trust user-added CAs for all domains, except for those specified, include something like this\nin your Network Security Config.\nsensitive.example.com Trusting user-added CAs for all secure connections\nTo allow your app to trust user-added CAs for all secure connections, add this in your Network Security Config.\nStandardized set of system-trusted CAs\nTo provide a more consistent and more secure experience across the Android ecosystem, beginning with Android\nNougat, compatible devices trust only the standardized system CAs maintained in AOSP.\nPreviously, the set of preinstalled CAs bundled with the system could vary from device to device. This could lead\nto compatibility issues when some devices did not include CAs that apps needed for connections as well as\nhttps://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html\nPage 3 of 4\n\npotential security issues if CAs that did not meet our security requirements were included on some devices.\r\nWhat if I have a CA I believe should be included on Android?\r\nFirst, be sure that your CA needs to be included in the system. The preinstalled CAs are only for CAs that meet\r\nour security requirements because they affect the secure connections of most apps on the device. If you need to\r\nadd a CA for connecting to hosts that use that CA, you should instead customize your apps and services that\r\nconnect to those hosts. For more information, see the Customizing trusted CAs section above.\r\nIf you operate a CA that you believe should be included in Android, first complete the Mozilla CA Inclusion\r\nProcess and then file a feature request against Android to have the CA added to the standardized set of system\r\nCAs.\r\nSource: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html\r\nhttps://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"
	],
	"report_names": [
		"changes-to-trusted-certificate.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34f8e95c5235fd0dfc5bea340c8483f3050f341f.pdf",
		"text": "https://archive.orkl.eu/34f8e95c5235fd0dfc5bea340c8483f3050f341f.txt",
		"img": "https://archive.orkl.eu/34f8e95c5235fd0dfc5bea340c8483f3050f341f.jpg"
	}
}