Google Chrome and Android drop TrustCor support following privacy scare

Google has announced that it is set to drop TrustCor Systems as a root certificate authority (CA) for its web browser.

The tech giant cited a “loss of confidence in its ability to uphold these fundamental principles and to protect and safeguard Chrome’s users” in a group discussion.

Joel Reardon, a professor and mobile space privacy researcher at the University of Calgary, said that his team had “uncovered and disclosed a spyware SDK embedded in apps that were invasively tracking users”.

TrustCor root certificate authority

In a joint effort with Wall Street Journal investigative journalists, it was found that TrustCor was registered just a month apart from the company behind the SKD, known as Measurement Systems, both in Panama. 

Reardon points out in his notice:  “To be clear, I have found no evidence of TrustCor issuing a bad certificate or otherwise abusing the authority they have in code signing, SMIME, and domain validation… Perhaps the identical ownership of TrustCor and Measurement Systems is a coincidence.”

Beyond this, there are a number of unfortunate, related coincidences that have led companies like Microsoft and Mozilla to drop TrustCor as a root CA, too.

The change is set to take effect with the rollout of Chrome 111, which is set to land on March 7, 2023, following a beta release around one month before. Previous versions of Chrome capable of receiving component updates will also be included in the change.

Just how long we’ll have to wait for the change to make its way to Android devices is uncertain. Unlike Chrome for desktop, which can be tweaked by itself, Android’s root certificate is updated as part of the entire operating system, which is likely to cause a delay.

While some apps, like Firefox for Android, can configure their own set of CAs on top of the operating system’s root store, this isn’t the case with Chrome.

While tech giant Apple is yet to announce any decision that it will make, TrustCor has published a public statement on its website.

Go to Source