this post was submitted on 28 Apr 2024
6 points (87.5% liked)

Privacy

4591 readers
128 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
 

So, this may be G-custom OS specific, or Android generally.

I was looking through the security settings, and when going to Settings-Security-More-Encryption and Credentials, I see that there are a plethora of CA Root certs installed. I recognize some (Digicert, Comodo, etc), but there are a lot that are just numbers and letters, and some from Beijing China, etc.

I don't recall ever installing ANY certs, so I suppose these are all preinstalled (they show under the System tab, not the User tab.)

Can they be installed by regular apps?

I disabled any that weren't recognizable like Amazon, Google, Digicert, and Comodo.

Are these dozens of other Certs necessary, and are they safe to be on my device? Are they preinstalled with G-Custom OS, or did they somehow sneak into my system settings?

I have too much to do a factory reset at this point and it would only be a last resort.

I also have Mullvad, Proton, and a personal WG vps on my phone, would those add certs to the "storage"?

I know I named brands in here but I'm not promoting anything, I don't want to break something making changes, that's all.

Thanks in advance.

top 1 comments
sorted by: hot top controversial new old
[–] dukethorion 1 points 9 months ago

I never got a real answer, other than "don't mess with the certs".

So I eventually found the list of certs included in base Android, and the Beijing ones are included. I don't need certs from the CCP.

I disabled all cert CA's except for Amazon, Comodo, D-Trust, Digicert, Microsoft, Google, ISRG, and a few others that I've heard of previously.

I have not noticed any difference, but will add a reply here in the event that I do have issues.

It seems to me that dozens of these CA's are not necessary, and they allegedly can pay Google to be included in the default configuration.