Let the App in Android do the HTTPs CA signature verification

Question

In a recent discussion with colleague we analysed the implications of letting the default Android's system validation of CA signed TLS certificates from a known CAs like Verising, Comodo, etc. The discussion centered on the issue that the OS might be compromised (maybe rooted with malware or hacked) and the entire CA certificates library modified to validate certificates not signed by actual CAs.

A possible proposed solution to this was implementing Certificate validation in the app itself, having a list (which would in theory be much narrower considering that the app developer knows which certificates he'll be using) of Root CA Certificates in the app and let the app do the verification. This would allow for real validation without depending on the systems CA certificates.

I'm still a bit worried of wrongfully implementing this, how smart is it to let de app do the validation?

Answer 1

If the system is compromised an application running with same or less privileges than the compromised system can not save the day. Essentially you would not only need to implement TLS validation by your own but also the full TLS stack because the encryption libraries might be changed on the system and provide a backdoor to the attacker to get to the plain text. Additionally you would need to make sure that your application is not hijacked and the plain text information are stolen outside the encryption process, i.e. before encryption and after decryption. But, if the attacker has fully compromised the system you cannot stop this.

It is probably way more likely that you introduce new bugs while implementing the fairly complex TLS stack by your own and thus make your application not only insecure on compromised systems but also on others.