diff options
author | Danielle Roberts <daroberts@google.com> | 2016-07-26 11:12:14 -0700 |
---|---|---|
committer | Danielle Roberts <daroberts@google.com> | 2016-07-26 11:12:14 -0700 |
commit | 11d36e655ac79c8f412fc1aa0c1af5367e4b7484 (patch) | |
tree | 301e047b1ac803e56f900c906e3188c93d03b63e /src | |
parent | 53314631ce677f9e442746b7bb8b89b40ef8df75 (diff) | |
download | source.android.com-11d36e655ac79c8f412fc1aa0c1af5367e4b7484.tar.gz |
Docs: Add Certificate Authorities section to App security article
Bug: 28295905
Change-Id: I0e7975be2d6276fe4128aff43f6c2abcf9bd4765
Diffstat (limited to 'src')
-rw-r--r-- | src/security/overview/app-security.jd | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/security/overview/app-security.jd b/src/security/overview/app-security.jd index c7b77994..8b011fac 100644 --- a/src/security/overview/app-security.jd +++ b/src/security/overview/app-security.jd @@ -280,6 +280,32 @@ APIs" src="../images/permissions_check.png" id="figure2" /> time, the installer will prompt the user asking if the application can access the information. If the user does not grant access, the application will not be installed.</p> +<h2 id="certificate-authorities">Certificate authorities</h2> +<p> +Android includes a set of installed system Certificate Authorities, which are +trusted system-wide. Prior to Android 7.0, device manufacturers could modify the +set of CAs shipped on their devices. However, devices running 7.0 and above will +have a uniform set of system CAs as modification by device manufacturers is no +longer permitted. +</p> +<p> +To be added as a new public CA to the Android stock set, the CA must complete +the <a href="https://wiki.mozilla.org/CA:How_to_apply">Mozilla CA Inclusion +Process</a> and then file a feature request against Android (<a +href="https://code.google.com/p/android/issues/entry">https://code.google.com/p/android/issues/entry</a>) +to have the CA added to the stock Android CA set in the <a +href="https://android.googlesource.com/">Android Open Source Project</a> +(AOSP). +</p> +<p> +There are still CAs that are device-specific and should not be included in the +core set of AOSP CAs, like carriers’ private CAs that may be needed to securely +access components of the carrier’s infrastructure, such as SMS/MMS gateways. +Device manufacturers are encouraged to include the private CAs only in the +components/apps that need to trust these CAs. See <a +href="https://developer.android.com/preview/features/security-config.html">Network +Security Configuration</a> for more details. +</p> <h2 id="application-signing">Application Signing</h2> <p>Code signing allows developers to identify the author of the application and to update their application without creating complicated interfaces and |