Allow automatically trusting user CA certificates in Android 11, for debugging & development purposes only [168169729]

Assigned

Feature Request

[AOSP] assigned

Status Update

No update yet.

Description

pi...@gmail.com

created issue #1

Sep 10, 2020 03:33PM

Android 11 removes the KeyChain.createInstallIntent() API, used by applications to prompt to install CA certificates. That's discussed in general here: https://issuetracker.google.com/issues/151858120.

I'm happy to accept that for general usage this API shouldn't be available for normal use, or should be extremely tightly restricted, and I'm not suggesting that this API come back in the previous form - protecting normal users from these risks is a very good idea!

I do think there's a legitimate developer/tester use case for user-trusted CA certificates though, and that the current process (a fiddly manual process through a long list of settings screens) is very inconvenient for those purposes.

Some example use cases I'm interested in:

Manually intercepting HTTPS traffic from Chrome, for debugging & mocking purposes. It's impossible to trust a CA certificate in Chrome itself, so the only option is to install it as a user certificate, which is now more difficult.
Automatically intercepting HTTPS from Chrome, as part of mobile automated testing suites. Similarly, this can't be done within Chrome, and it's very difficult to automate the Android 11 settings screens to set up a CA, with any setup that's reliable & fast enough for real-world use.
Intercepting HTTPS traffic from apps when a variety of CA certificates might be used for interception. E.g. when a team of developers are all using a debugging/mocking HTTPS proxy, each with its own unique CA certificate. To do this, it's most convenient to trust all user-installed certificates in the app debug config and then switch the user-trusted CA certificates on the device, via some setup automation.

To support these use cases, I'd like to suggest a small change to the existing restrictions: make it possible to add a CA certificate to the user certificate store via a shell command, runnable only from ADB.

This would make automated CA setup possible only for user devices with a debugger attached, and would be very convenient for automatically & easily enabling CA certificates for developer use.

I don't think this allows any significant new attacks, since these certificates could in theory be trusted already by manually sending input events through ADB (although doing so is fiddly right now, and doing so reliably for test automation yet more so).

There's a further case I'd love to have supported: developers tools on the device, which want to prompt to install a CA certificate for interception & debugging. That could be done by allowing such an API only when developer options are enabled (whilst retaining the previous security confirmations) but I imagine that's not an acceptable safeguard. I'd be very interested if there are any related suggestions that might allow that too though.

Thanks,

Tim

Comments

ja...@google.com <ja...@google.com> #2Sep 10, 2020 05:03PM

Assigned to ja...@google.com.

Are there many use cases for this? The current logic works fine with dark mode of platform, appcompat, and Compose.

wa...@vt.edu <wa...@vt.edu> #3Sep 11, 2020 03:12PM

When I was trying out integrating this with Now in Android, I ran into this issue since Now in Android currently doesn't inherit from AppCompatActivity and doesn't call AppCompatDelegate.setDefaultNightMode, so maybe the solution is instead to inherit from AppCompatActivity instead of just ComponentActivity to update the underlying configuration.

rc...@gmail.com <rc...@gmail.com> #4Sep 12, 2020 05:12PM

I just tested it with ComponentActivity. It's working fine for me. The scrim for 3-button nav and the icons are properly changed on light/dark mode switch. The extension function detect light/dark mode from resources.configuration.uiMode which is commonly used by the platform, AppCompat, and Compose, so I don't know why it doesn't work. Can I take a look at what you tried in Now in Android.

rc...@gmail.com <rc...@gmail.com> #5Oct 9, 2020 05:37PM

https://github.com/android/nowinandroid/tree/av/enable-edge-to-edge is the rough progress I made so far.

The theme switcher based on the user's preference within the app is handled separately from Configuration.uiMode and isn't updating the configuration directly, so I was attempting to call enableEdgeToEdge and manually specifying the dark and light themes.

The two options I see:

Allow a different way of specifying for enableEdgeToEdge whether the app is effectively in dark mode or light mode instead of that being based just on Configuration.uiMode (this issue)
Switch Now in Android to use AppCompatActivity and AppCompatDelegate.setDefaultNightMode so that the Configuration.uiMode is updated based on the user's preference

ki...@gmail.com <ki...@gmail.com> #6Dec 15, 2020 12:20AM

I see, so it has in-app light/dark setting.

On API 31+, apps with custom in-app light/dark settings should call UiModeManager.setApplicationNightMode to declare its theme to the system. This way, the system can use suitable colors duiring the splash screen. This should fix enableEdgeToEdge as well.

On API <31, it's easy if you can use AppCompatDelegate.setDefaultNightMode(int), but I can understand that you don't want to add appcompat dependency just for this.

So, custom mode is useful for apps that:

Provide in-app light/dark mode settings on API <31.
Don't want to depend on appcompat

I'm not sure if it's super common, but I guess the feature is worth implementing. I'll put it during the next alpha phase.

For Now in Android, I recommend you still call setApplicationNightMode on API 31+ regardless of enableEdgeToEdge. On API <31, just for the time being, you can either use the current e2e implementation, hide the setting, depend on appcompat, or just bear with the minor UI glitch. None of these are great, but I don't have a good solution now.

yz...@gmail.com <yz...@gmail.com> #7Feb 1, 2021 07:18AM

Project: platform/frameworks/support
Branch: androidx-main

commit 27e7d52e8604a080133e8b842db10c89b4482598
Author: Yuichi Araki <yaraki@google.com>
Date: Wed Apr 19 12:56:59 2023

Add SystemBarStyle.custom

Relnote: "Add an optional parameter `detectDarkMode` to SystemBarStyle.auto for detecting night mode by custom logic"
Test: androidx.activity.EdgeToEdgeTest.enableCustom
Bug: 278263793
Change-Id: I78322867ba3940939e137479383eca08efc9a2b6

M activity/activity/api/current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/EdgeToEdgeTest.kt
M activity/activity/src/main/java/androidx/activity/EdgeToEdge.kt
M activity/integration-tests/testapp/src/main/java/androidx/activity/integration/testapp/EdgeToEdgeActivity.kt
M activity/integration-tests/testapp/src/main/res/layout/edge_to_edge_activity.xml

https://android-review.googlesource.com/2546393

bi...@gmail.com <bi...@gmail.com> #8
Restricted
Feb 15, 2021 06:52AM

Learn More

ch...@gmail.com <ch...@gmail.com> #9Feb 21, 2021 04:41AM

Any updates on this issue?

pd...@gmail.com <pd...@gmail.com> #10Mar 13, 2021 02:34AM

How are we supposed to enroll thousands of BYOD devices in our School District network without using Android onboarding apps on Google App Store that would install WLAN certificate to trust?

This makes no sense and makes the new Android 11 unusable on large WLAN networks with 10k of devices which use a certificate that needs to be trusted.

We would appreciate it that at least if there would a kind of API key provided by

developers.google.com upon registration of the Enrollment app we upload to Google App Store. So the API could be used upon validation of that API key. This could even be a paid service for the Apps developers.

ja...@google.com <ja...@google.com> #11Mar 15, 2021 05:23PM

Thank you for reporting this issue. We just need a few things for us to further investigate this issue:

Please fill out each question and comment, thank you.

Have you observed this bug on Pixel devices as well?
Android Build Version (go to Settings > About Device > Build Number (hold down to copy))
Android Device Model:
Capture the issue in a screen recording (desktop and/or phone capture) to show an example of the issue.
Upload the full bug report file after the issue has occurred. Steps followed here: https://developer.android.com/studio/debug/bug-report
Please provide a simple sample project (exported zip Android Studio file) that reproduces the issue. This gives us the closest test environment to yours and allows us to inspect the code/structure used which will help analyze your issue.
Steps to reproduce issue specific to the provided sample project, including steps steps to reproduce with test certificates etc... [Be as specific as possible]
- 1
- 2
- 3
Expected Results:
Observed Results:

Note: Please upload to google drive and share the folder to android-bugreport@google.com, then share the link here.

The more information we have, the more accurately our product and engineering team can solve the issue. Thank you so much for your time and for your cooperation.

jo...@gmail.com <jo...@gmail.com> #12Mar 15, 2021 05:58PM

It seems to me that you are rather looking for an excuse to close this issue rather than try to fix it. KeyChain.createInstallIntent() has been pulled, but has legit use cases. The scope of use is narrow, thus the posed resolution of add an adb command to import a certificate.

pi...@gmail.com <pi...@gmail.com> #13Mar 15, 2021 06:05PM

This isn't a bug - it's an essential but missing feature. It's an issue on all Android 11+ devices, including Pixel devices, and all Google Play Android emulators.

It's not possible to make a screen recording, upload a bug report, or provide a sample or repro steps, because the functionality doesn't exist. The previous KeyChain.createInstallIntent() did provide similar functionality, but that's been removed (for good reasons).

In general, these security restrictions are good for normal users, but I think there is a strong argument that Android developers should still able to automatically configure user CA certificates on their own devices. Providing this capability via ADB only seems like a sensible way to expose that functionality only to developers. There's clearly a lot of support for this, as you can see from the other comments and stars here.

It looks like there are simple ways to implement this, if there is the appetite. For example, you could create a tiny on-device command runnable only by ADB which takes a path to a certificate and sends a certificate install intent with that path to CertInstaller (just like the settings do and as some apps used to do pre-Android 11), and then change CertInstaller to accept such intents from that command (or from the ADB user in general). That would be sufficient.

Right now CertInstaller is capable of automatically installing certificates, but it limits who can send the intents to do so, so that it's only possible from the Settings app. The specific CertInstaller lines that currently limit this access are here:

ja...@google.com <ja...@google.com> #14Mar 17, 2021 07:22PM

Great update. Thanks. The product and engineering teams have been updated.

sa...@google.com <sa...@google.com> Mar 25, 2021 07:44AM

Reassigned to vi...@google.com.

ay...@gmail.com <ay...@gmail.com> #15May 8, 2021 01:02PM

Why limit this to only user certificates? There is an important and legitimate use-case when a person would need to install a certificate to the system CA store. Security researchers need to be able to inspect Android apps traffic. Currently, the only way to do this is to use a rooted device which is hardly an acceptable way. Since this is a system CA store that, in theory, shouldn't be modified, I suggest providing an option that will install the certificate temporarily. For instance, until the device reboot.

da...@gmail.com <da...@gmail.com> #16May 27, 2021 05:21AM

It is acceptable to prevent users from installing certificates If they do not READ AND ACKNOWLEDGE BIG SCARY WARNINGS ⚠️

It is not acceptable to prevent legitimate developers from installing CA certs, at least at the user store level, with sufficient trust to achieve their limited scope usage cases.

We can develop things; like for example your key icon for VPNs; to inform users that custom certificates are in use. Perhaps a secondary icon like a certificate with a key overlay on it.

While I think ADB can possibly be a vector of attack; I also believe it is protected now by modern RSA Fingerprint verification and appropriate SCARY WARNING ⚠️ dialogues to prevent casual exploitation.

It shouldn't be the mission of Android OSP to prevent social engineering attacks; only make them difficult enough by informing the end user of what they are doing. It isn't your fault if people choose to ignore prominent warning signs.

If we can't trust the current iteration of ADB security then we need to up it more; and that may even mean we start forcing users of ADB to generate and install debug bridge certificates in full to make them acknowledge the BIG SCARY WARNING ⚠️ at least once.

br...@gmail.com <br...@gmail.com> #17Jun 25, 2021 08:39AM

Any update on this issue?

si...@gmail.com <si...@gmail.com> #18Jul 13, 2021 01:26PM

Any update on this issue?

mr...@gmail.com <mr...@gmail.com> #19Jul 24, 2021 10:33PM

Agreed, Android needs this.

fs...@gmail.com <fs...@gmail.com> #20Aug 20, 2021 03:27PM

The RootCA is going from an impossible to an insane situation now.
I completely understand the reasoning for making it difficult to install so the end-user can't be tricked. There is no way to use an Android device in an enterprise or schools environment with content filtering that requires trusting a RootCA, and even Apple has not gone so far as to make it impossible to install one.
Please fix this and provide a sane way for developers, companies, and schools to install RootCA! All system rootCAs are few selected and self-signed at the roots; you decide to trust for us; enable us to do the same for RootCA we choose to trust.

jo...@gmail.com <jo...@gmail.com> #21Sep 23, 2021 11:09AM

I totally agree upon removing the "Don't check/validate certicate" option under Wi-Fi settings. BUT.

Googles decision to remove the possibility to install certificates via apps (via API) has led to HUGE onboarding problems for eduroam users (millions of students, professors and staff across the world), since the onboarding apps no longer can install Wi-Fi certificates. Apps like the official "eduroam CAT" and "SecureW2 JoinNow" are rendered useless. These devices are BOYD and can't be managed through MDM's.
A clear information text (not a scary warning!) showing the user what it means to install a Wi-Fi certificat, should be enough.

Also, installing the certificate manually does not work on a lot of models that runs Android 11 (certificate is shown but can't be installed, it's greyed out on Sony Xperia, Oppo, OnePlus Nord).
Works fine on Samsung Galaxy.

In the end, this has just led to less security for the average user, since the users will now try to connect to any open WIFI network instead of a trusted one (EAP-TLS... or EAP-TTLS etc, that actually verifies that the RADIUS server is legit, before sending credentials).

eh...@gmail.com <eh...@gmail.com> #22Oct 21, 2021 02:06PM

Any update on this issue?

sa...@gmail.com <sa...@gmail.com> #23Oct 24, 2021 05:56AM

I'm not by any means someone that understands the operations oh an android and what certificates should be installed but I'm just going to go out on a limb here and ask anyway. Why is it necessary for hong kong or the government or Hellenistic research Chicago times and many others that appear to me to be newspapers and journalist and things of this nature and why would one android be any different than the next? My trustee certificates don't seem trusting to me maybe I'm wrong but it explains why I keep seeing my content and drafts or published content on medium is being stolen as fast as I write them. I'm sorry but it brand my head to see someone else benefiting from something I wrote or my son wrote and not even get credit or acknowledged and definitely not being paid. Seeing that this is an encrypted way of messaging nah and forth whose to say it's not being used to send you data to several other places all day every day of all of our content because it's a way we wouldn't realize and they could take ownership of an of our ideas,our conversation all bring sent to huge manufacturing companies that want to continue to monopolize every thing as a joint venture Microsoft, Facebook, Instagram,utube, ask the big dogs anyway have cornered the market and taken humans and successfully brainwashed most of us and we're not paying attention to what's really happening here. Smh what do I do?

da...@gmail.com <da...@gmail.com> #24Oct 24, 2021 06:47PM

Comment #23

reads a little bit like a GPT2 or GPT3 like robot reply, in
that it makes little sense at all.

I apologize to that commenter in advance if English just isn't their
primary language; but I could not understand a word of what it was trying
to say or imply.

On Sun, Oct 24, 2021, 12:56 AM <buganizer-system@google.com> wrote:

- Show quoted text -

sr...@gmail.com <sr...@gmail.com> #25Nov 7, 2021 03:37PM

Great article with sovereign securities and global stability implications. Indeed this is a most significant inherent, built-in vulnerability unnecessarily exploitative hidden from most and under appreciated to countless others already aware of this mechanism's existence embedded in our devices.

Commentary FYI: Admist a global pandemic as the United States and allied nations in Europe, Australia, and around the world grapple with increasingly more consequential cyber challenges, we individual citizens also struggle against the onslaught of micro-targeted dynamics of the same.

Europe (EC) has thankfully codified measures for individual protections and industry accountability to profit-first configurations on core ubiquitous consumer technologies, the US except California hasn't yet placed national security and its people above its more self-serving political class dynamics.

The issue of what de facto "trust relations" ride along with every purchase of smartphone, computer, TV, and home network and security components should and MUST be elevated highest priority for us all BOTH organizational institutions and citizen. This embedded hidden list -- unknown to most important of Trusted Root Certificate authentication spanning globally a RANGE OF Sovereign Nations and privacy-mining, corporate, comercial interests -- would concern any conscientious. organization or individual person.

Manually determining dependencies of each preloaded de facto "Trusted Authorization" to important services and aupplications for each of our devices has so far been a daunting, evolutionary endeavor.

da...@gmail.com <da...@gmail.com> #26Nov 7, 2021 04:07PM

Looks like both

comment #23

and #25 are really just robot-like. Neither of
those comments appear to be properly ontopic or related to this bug
directly.

Could we possibly get a google maintainer to examine this pair of comments
and consider closing the thread to combat further spam?

On Sun, Nov 7, 2021, 9:37 AM <buganizer-system@google.com> wrote:

- Show quoted text -

br...@gmail.com <br...@gmail.com> #27Nov 7, 2021 08:56PM

This had been assigned to someone on Mar 25, 2021 06:44PM, can we expect an update any time soon?

ch...@gmail.com <ch...@gmail.com> #28Nov 24, 2021 05:37PM

Any updates here?

co...@gmail.com <co...@gmail.com> #29Jan 4, 2022 04:02PM

It's a debacle how google decides the choice of users as if they are the real owner and forces them to root their phone with things like this.

Thanks to those educated Ph.D. google devs who forced users to root phones and increased their security.

tv...@gmail.com <tv...@gmail.com> #30Jan 23, 2022 07:47PM

Any update on this issue?

np...@gmail.com <np...@gmail.com> #31Jan 24, 2022 08:48PM

any update on this request. Why Android is making it more difficult for developers to intercept the HTTP traffic and debug the errors. Moving to iOS which still support installing trusted certificate so that its easy to intercept the traffic in burp etc.

cn...@gmail.com <cn...@gmail.com> #32Jan 27, 2022 06:42PM

we need to install CA certificate

si...@gmail.com <si...@gmail.com> #33Jan 27, 2022 06:50PM

my company has no idea what wifi certificate is ... i see it tough ... i'm seriously thinking about replacing my pixel 6 pro ... as it's a really immature phone

tt...@gmail.com <tt...@gmail.com> #34Feb 9, 2022 09:29AM

It's been 1.5years since this issue is raised. Feeling very bad to not have a solution on this. Anyone have workaround ideas? Any one handled this in their work ? Please let me know, This is effecting lot of users.

sh...@googlemail.com <sh...@googlemail.com> #35Feb 9, 2022 02:04PM

To all with this issue. A workaround I found was entering my companies domain when connection to the WiFi resolved this.

su...@gmail.com <su...@gmail.com> #36Mar 12, 2022 03:32AM

Any update on this issue?

br...@gmail.com <br...@gmail.com> #37Mar 22, 2022 10:23PM

Any updates? We need this

bl...@gmail.com <bl...@gmail.com> #38Apr 1, 2022 11:18AM

#38

ah...@gmail.com <ah...@gmail.com> #39Apr 3, 2022 03:36PM

אשמח אם תאשרו שיהיה אפשר להשתמש באישור לא מוכר

‫בתאריך יום ו׳, 1 באפר׳ 2022 ב-14:18 מאת <‪buganizer-system@google.com‬‏>:‬

- Show quoted text -

nu...@gmail.com <nu...@gmail.com> #40Apr 3, 2022 05:02PM

Gey

ในวันที่ อา. 20 มี.ค. 2022 04:41 น. <buganizer-system@google.com> เขียนว่า:

- Show quoted text -

nu...@gmail.com <nu...@gmail.com> #41Apr 3, 2022 05:02PM

Refer

ในวันที่ อา. 20 มี.ค. 2022 04:41 น. <buganizer-system@google.com> เขียนว่า:

- Show quoted text -

fl...@simplifier.io <fl...@simplifier.io> #42Apr 5, 2022 12:53PM

Any update on this issue?

am...@gmail.com <am...@gmail.com> #43Apr 28, 2022 06:59AM

Any update on this issue? We really need this.

mo...@pitechniques.com <mo...@pitechniques.com> #44May 2, 2022 11:21AM

Any update on this issue?

re...@gmail.com <re...@gmail.com> #45May 2, 2022 05:35PM

Unsubscribing due to volume of "me too" style posts.

pi...@gmail.com <pi...@gmail.com> #46May 10, 2022 01:51PM

One new change makes this issue higher priority imo: Chrome 99+ on Android now appears to enforce certificate transparency on all certificates in the system store.

That's relevant because many of us have worked around this issue by rooting all the relevant devices, and installing system certificates instead (since that is easily automated, on rooted devices). Since these are system certificates, they're treated differently to installed user certificates for cert transparency purposes, but this workaround now makes Chrome unusable in these environments.

It would be very helpful to have an official path to automatically install user certificates for debugging & development, so we can stop messing around with the system store to work around this.

ro...@gmail.com <ro...@gmail.com> #47May 21, 2022 05:53PM

Excellent suggestion.
I work with a company that uses an Internal Certification Authority (CA).
It has been horrible to deal with our internal CA cause there are developers that do not allow Android User Certificate store, causing many App development and usability issues.

sh...@gmail.com <sh...@gmail.com> #48Jun 20, 2022 08:42AM

Comment has been deleted.

Message last modified on Jun 20, 2022 08:42AM

ca...@gmail.com <ca...@gmail.com> #49Jun 20, 2022 03:19PM

Please make this change. We have Intune MDM running (mostly BYOD, but we do have enterprise-owned devices as well) and need to deliver a CA cert for Always-On VPN. Luckily most users are on iPhones or Samsung devices anyhow, but there's still a good chunk of outliers that need to have the cert manually installed.

a0...@gmail.com <a0...@gmail.com> #50Jul 14, 2022 09:39PM

נכון מאד וחשוב ביותר

30...@gmail.com <30...@gmail.com> #51Jul 14, 2022 09:42PM

זה חשוב מאד גם בשבילי

sc...@gmail.com <sc...@gmail.com> #52Jul 27, 2022 09:39AM

Noone needs this Nanny-Protection measure that is nothing but blocking a normal use. Adding CA is normal in many environments, blocking this is patronization. This measure is very unbalanced and is on the same level as cutting the internet completely, which is in fact the most effective way of protection from threads, but also renders the device unusabel.

we...@gmail.com <we...@gmail.com> #53Aug 29, 2022 09:17PM

It has been 2 years, any update? Desperately needing this changed still

nu...@gmail.com <nu...@gmail.com> #54Sep 27, 2022 09:16PM

ms...@gmail.com <ms...@gmail.com> #55Oct 10, 2022 06:18AM

Not even from ca

On Thu, May 27, 2021, 1:21 AM <buganizer-system@google.com> wrote:

- Show quoted text -

we...@gmail.com <we...@gmail.com> #56Oct 12, 2022 01:31PM

After adding the certificates manually I see them on the list, but it seems they do not take effect, and I cannot delete them from the list.
I have tried to add the certificate again, but then it got duplicated certificates on the list of user certificates!
This is more than a regression! This should be considered a security bug, because the system may have some user certificates that shouldn't.

al...@gmail.com <al...@gmail.com> #57Nov 13, 2022 10:54AM

Can't use self-signed certificates from our company. Plase it has been years...

na...@gmail.com <na...@gmail.com> #58Jan 16, 2023 06:09PM

This change has disabled custom apps that my hospital developed to allow physicians secure access to dictate directly into patient charts using our Dragon Medical One dictation software.

Whoever made this decision without a plan to prevent breaking systems like MobileIron etc. should be ashamed of themselves: They have harmed thousands of people and wasted tremendous resources during the midst of a global pandemic.

sa...@gmail.com <sa...@gmail.com> #59Apr 7, 2023 11:03AM

has any update?

ra...@gmail.com <ra...@gmail.com> #60May 15, 2023 02:49PM

Any roadmap updates?

go...@gmail.com <go...@gmail.com> #61May 17, 2023 03:19AM

Yeah I do..busted randy I mean I liked u. Or what I don't understañd why u used me my móney U had me falling love with u añd my kíds call u Daddy,.Why?¿ I received our lettér tóday Yéß u can come home no I'm nót no hoe I don't ñeed a mañ to nut I think óf ú añd u búst my nút lóve u

to...@gmail.com <to...@gmail.com> #62Jul 29, 2023 08:38PM

נו? מה קורה? למה לא מאפשרים את זה, כולם רוצים!

49...@mtnwilderness.family <49...@mtnwilderness.family> #63Aug 2, 2023 04:25AM

Google! Verizon forced me to upgrade early. I was waiting for the new iPhone in October to upgrade. But, Verizon gave me a coupon for a free Google Pixel 6a. Once again, you have shown why I love Apple. I secure our internal sites down with client certificates from CloudFlare. Can't install the CA. This is ridiculous. Can't wait to get the new iPhone!

be...@gmail.com <be...@gmail.com> #64Oct 24, 2023 01:58PM

F***ing Google.... How DARE you attempt to dictate to your user community how they choose to configure devices that they bought and paid for? If I choose to open up my phone to the entire external Internet with no security whatsoever, with no protection, and decide to allow it to become infested with every kind of malware on the planet, THAT'S MY CHOICE TO MAKE AND YOU GET NO SAY IN IT!!!! You are allowed to provide me with the tools to configure my device. You are NOT allowed to dictate to me how I choose to use them.

le...@gmail.com <le...@gmail.com> #65Mar 6, 2024 11:17AM

any update?

vi...@google.com <vi...@google.com> #66Mar 7, 2024 12:38AM

Re-comment#64:

Hello, your comments were flagged for review. We understand that you’re frustrated, but please keep your language civil. If you continue to post abusive statements to the Google Issue Tracker, we will be forced to take action by removing your ability to make any comments or changes on the Google Issue Tracker.

my...@gmail.com <my...@gmail.com> #67Jul 4, 2024 01:08AM

Is this still an active bug, I assume 'assigned' means someone is looking into it? I did try it on 4 different devices, and it is indeed a bug IMO. Not sure why it is a problem to install self-signed certificates for development, but is there at least a work around? We really need to do some internal testing and buying certs for servers in a lab, that will never be on the Internet (and can never be for auditing and SOC2 reasons), is like getting Congress to agree on anything.
Good luck, hope you all figure it out B-)

FunnyScreenshot_20240703-203446_(1)[1].png

58 KB

View

Download

em...@gmail.com <em...@gmail.com> #68Sep 30, 2024 07:46PM

Any updates? This is still an issue.

mr...@gmail.com <mr...@gmail.com> #69Sep 30, 2024 08:08PM

Hi Everyone, I'm just going to point out the obvious to everyone here and in the future to set expectations: Google will never implement this. It's not in their best interest from a security or a support perspective. It would also potentially allow for interception/modification of Google and third-party app communications that they don't want to allow. I know this is frustrating and not what anyone but big tech wants to hear, but it's the truth. After four years of Google silence, it's the truth. We'll just need to accept it and find other solutions to our use cases.

ma...@gmail.com <ma...@gmail.com> #70Jan 23, 2025 10:02AM

It's still a problem, I need this feature for development. At least put it in the "developer settings only" tab. We've received no updates yet and it's unacceptable.

ol...@googlemail.com <ol...@googlemail.com> #71Mar 14, 2025 07:20AM

I am WiFi-Admin at a big educational campus. All the Android Devices, espaccialiy the Google Pixel cant connect with teh WiFi (EAP-Peap MSchapV2). They get an auth error. The teachers moved to Apple-devices and the Pixels are useless since update. Its still an issue with an impact here.

al...@gmail.com <al...@gmail.com> #72Mar 30, 2025 11:42PM

I'm the inventor and owner of AI I'm just trying to get this internet straightened out there's a text for you a lot of robot

Issue 168169729

Description

Issue summary

Comments

ja...@google.com <ja...@google.com> #2Sep 10, 2020 05:03PM

wa...@vt.edu <wa...@vt.edu> #3Sep 11, 2020 03:12PM

rc...@gmail.com <rc...@gmail.com> #4Sep 12, 2020 05:12PM

rc...@gmail.com <rc...@gmail.com> #5Oct 9, 2020 05:37PM

ki...@gmail.com <ki...@gmail.com> #6Dec 15, 2020 12:20AM

yz...@gmail.com <yz...@gmail.com> #7Feb 1, 2021 07:18AM

bi...@gmail.com <bi...@gmail.com> #8 Restricted Feb 15, 2021 06:52AM

ch...@gmail.com <ch...@gmail.com> #9Feb 21, 2021 04:41AM

pd...@gmail.com <pd...@gmail.com> #10Mar 13, 2021 02:34AM

ja...@google.com <ja...@google.com> #11Mar 15, 2021 05:23PM

jo...@gmail.com <jo...@gmail.com> #12Mar 15, 2021 05:58PM

pi...@gmail.com <pi...@gmail.com> #13Mar 15, 2021 06:05PM

ja...@google.com <ja...@google.com> #14Mar 17, 2021 07:22PM

sa...@google.com <sa...@google.com> Mar 25, 2021 07:44AM

ay...@gmail.com <ay...@gmail.com> #15May 8, 2021 01:02PM

da...@gmail.com <da...@gmail.com> #16May 27, 2021 05:21AM

br...@gmail.com <br...@gmail.com> #17Jun 25, 2021 08:39AM

si...@gmail.com <si...@gmail.com> #18Jul 13, 2021 01:26PM

mr...@gmail.com <mr...@gmail.com> #19Jul 24, 2021 10:33PM

fs...@gmail.com <fs...@gmail.com> #20Aug 20, 2021 03:27PM

jo...@gmail.com <jo...@gmail.com> #21Sep 23, 2021 11:09AM

eh...@gmail.com <eh...@gmail.com> #22Oct 21, 2021 02:06PM

sa...@gmail.com <sa...@gmail.com> #23Oct 24, 2021 05:56AM

da...@gmail.com <da...@gmail.com> #24Oct 24, 2021 06:47PM

sr...@gmail.com <sr...@gmail.com> #25Nov 7, 2021 03:37PM

da...@gmail.com <da...@gmail.com> #26Nov 7, 2021 04:07PM

br...@gmail.com <br...@gmail.com> #27Nov 7, 2021 08:56PM

ch...@gmail.com <ch...@gmail.com> #28Nov 24, 2021 05:37PM

co...@gmail.com <co...@gmail.com> #29Jan 4, 2022 04:02PM

tv...@gmail.com <tv...@gmail.com> #30Jan 23, 2022 07:47PM

np...@gmail.com <np...@gmail.com> #31Jan 24, 2022 08:48PM

cn...@gmail.com <cn...@gmail.com> #32Jan 27, 2022 06:42PM

si...@gmail.com <si...@gmail.com> #33Jan 27, 2022 06:50PM

tt...@gmail.com <tt...@gmail.com> #34Feb 9, 2022 09:29AM

sh...@googlemail.com <sh...@googlemail.com> #35Feb 9, 2022 02:04PM

su...@gmail.com <su...@gmail.com> #36Mar 12, 2022 03:32AM

br...@gmail.com <br...@gmail.com> #37Mar 22, 2022 10:23PM

bl...@gmail.com <bl...@gmail.com> #38Apr 1, 2022 11:18AM

ah...@gmail.com <ah...@gmail.com> #39Apr 3, 2022 03:36PM

nu...@gmail.com <nu...@gmail.com> #40Apr 3, 2022 05:02PM

nu...@gmail.com <nu...@gmail.com> #41Apr 3, 2022 05:02PM

fl...@simplifier.io <fl...@simplifier.io> #42Apr 5, 2022 12:53PM

am...@gmail.com <am...@gmail.com> #43Apr 28, 2022 06:59AM

mo...@pitechniques.com <mo...@pitechniques.com> #44May 2, 2022 11:21AM

re...@gmail.com <re...@gmail.com> #45May 2, 2022 05:35PM

pi...@gmail.com <pi...@gmail.com> #46May 10, 2022 01:51PM

ro...@gmail.com <ro...@gmail.com> #47May 21, 2022 05:53PM

sh...@gmail.com <sh...@gmail.com> #48Jun 20, 2022 08:42AM

ca...@gmail.com <ca...@gmail.com> #49Jun 20, 2022 03:19PM

a0...@gmail.com <a0...@gmail.com> #50Jul 14, 2022 09:39PM

30...@gmail.com <30...@gmail.com> #51Jul 14, 2022 09:42PM

sc...@gmail.com <sc...@gmail.com> #52Jul 27, 2022 09:39AM

we...@gmail.com <we...@gmail.com> #53Aug 29, 2022 09:17PM

nu...@gmail.com <nu...@gmail.com> #54Sep 27, 2022 09:16PM

ms...@gmail.com <ms...@gmail.com> #55Oct 10, 2022 06:18AM

we...@gmail.com <we...@gmail.com> #56Oct 12, 2022 01:31PM

al...@gmail.com <al...@gmail.com> #57Nov 13, 2022 10:54AM

na...@gmail.com <na...@gmail.com> #58Jan 16, 2023 06:09PM

sa...@gmail.com <sa...@gmail.com> #59Apr 7, 2023 11:03AM

ra...@gmail.com <ra...@gmail.com> #60May 15, 2023 02:49PM

go...@gmail.com <go...@gmail.com> #61May 17, 2023 03:19AM

to...@gmail.com <to...@gmail.com> #62Jul 29, 2023 08:38PM

49...@mtnwilderness.family <49...@mtnwilderness.family> #63Aug 2, 2023 04:25AM

be...@gmail.com <be...@gmail.com> #64Oct 24, 2023 01:58PM

le...@gmail.com <le...@gmail.com> #65Mar 6, 2024 11:17AM

vi...@google.com <vi...@google.com> #66Mar 7, 2024 12:38AM

my...@gmail.com <my...@gmail.com> #67Jul 4, 2024 01:08AM

em...@gmail.com <em...@gmail.com> #68Sep 30, 2024 07:46PM

mr...@gmail.com <mr...@gmail.com> #69Sep 30, 2024 08:08PM

ma...@gmail.com <ma...@gmail.com> #70Jan 23, 2025 10:02AM

ol...@googlemail.com <ol...@googlemail.com> #71Mar 14, 2025 07:20AM

al...@gmail.com <al...@gmail.com> #72Mar 30, 2025 11:42PM

Add comment

Issue metadata

bi...@gmail.com <bi...@gmail.com> #8
Restricted
Feb 15, 2021 06:52AM