Distruct user-added CA certificates #1148
Description
In #68 trust by default for user-added CA certificates was added (ref to code part). Also, in this same PR cleartext traffic was allowed despite it being disabled by default for apps targeting Android 7.0 (API level 24) and higher according to network security configuration docs (ref to code part).
According to Network security configuration docs for apps targeting Android 7.0 (API level 24) and above higher base-config by default does not include <certificates src="user" /> (effectively means app by default distrust user-added CA certificates). Only apps targeting Android 6.0 (API level 23) and lower by default include trust to user-added CA certificates.
So, basically, #68 author successfully downgraded security and privacy by default for all Droid-ify users.
For now, every all Droid-ify version starting from v0.4.8 impacted by changes above.
In the upcoming release (probably v0.6.7) will be included changes for harm-reduction for #68 as well as improvements:
- disallow cleartext traffic for release builds (allow only for debug) #1147
- add cert pinning for nine f-droid repositories #1141 (9 popular repositories no longer impacted for now)
But something need to be done with user-added CA certificates. I see two solutions:
- get rid of
<certificates src="user" />in network security config- but this will permanently break compatibility with self-hosted F-Droid repositories which utilize self-signed CA certificates for https (very few people use it)
- so this will force users with self-hosted F-Droid repositories which utilize self-signed CA certificates for https build from source with added
<certificates src="user" />or make them stop using Droid-ify
- add toggle (opt-in, mean disabled by default) to trust user-added CA certificates
- but some work needs to be done as well as testing...