The rollout of Android 4.4 KitKat came with “Network May Be Monitored” and many improvements which included improved security. Although security may be more secure, messages may remain unclear. What exactly does the constant warning mean? Should you be worried, and What can you do to rid yourself of it?
This type of scenario is precisely the reason we weren’t too happy with the design of credential management on Android 4.4. Google’s heart was in the right position, but the manner in which the update dealt with the issue (and advised users) is unprofessional at best, and somewhat uncomfortable (to users who aren’t experienced) at the worst. Let’s look at the exact message the warning is, and what you can do to make of it.
The source of the warning
Let’s first explain the reason you’re receiving this error message as Android provides virtually no useful information in this area. The phone keeps an inventory of user-supplied and trusted security certificates. The lengthy list of entries in the “system” you found in the “Trusted credentials” menu is basically a huge white list of security certificate issuers Google seeded the Android device with. The phone basically says “Oh, okay, these people are trustworthy, so we can trust security certificates issued by them.”
If a security certification is installed on your mobile (either in a manual manner by yourself, maliciously or by another user, or automatically through a service or website you’re on) and it’s not If the warning is issued by any of these issuers, Android’s security feature kicks in with this warning “Networks May Be Monitored.” Technically, that’s an accurate warning: if a malicious/compromised security certificate is installed on your device it is possible that traffic from your device can be monitored under certain circumstances. It is not uncommon for business or hotspot service providers to utilize self-issued certificates on their own devices to accomplish this (although generally, the motives behind them are more harmless).
The issue is that the warning issued is unnecessary scary and unclear the issue. If you’re not aware of what’s the deal with secure credentials and certificates the warning could even be the form of a binary.
A certificate doesn’t have to be malicious in order for it to trigger warnings but it does need to be signed or issued by an agency that’s not included on the “trusted “system” list. That means that if you have signed your own certificate to specific purposes (like creating an encrypted connection to your server at home) and then Android will be able to complain about it. This also means that when your company self-signs certificates for internal use but does not purchase an officially certified certificate, you’ll receive a warning.
In the end, and we’re sure that this is what occurred in your instance when connecting to a safe WiFi network using a security certificate issued by an issuer not listed included in the trusted list of your device, you’ll encounter the error. Technically speaking, as we stated earlier, the business might use the certificate that is self-signed for malicious reasons, but often, when you encounter this issue it’s due to 1.) the company doesn’t wish to pay for the use of a public certificate for private use and) they would like total control over the creation of certificates as well as the signing procedure.
If you’d like to learn details about the tech aspect of this warning (as well as how angry the new system to handle certificates has caused more than some users) it is possible to read these Android bug report threads 1 2[ 1, 2] and these two blog posts from GeekTaco for 1, 2to discuss the issue in detail.
Do You Need to Be Concerned?
The warning is phrased as serious, and we don’t blame you for feeling slightly scared. However, should you really be concerned? In the majority of instances, users who see this error, they aren’t seeing it as a result of installing malicious certificates on their system which puts them at risk. The most common reason is one that we mentioned above: businesses using self-signed certificates which aren’t included in the system’s database of certificates trusted by the system because they were not granted by an official issuer.
There is a good chance that someone will use a fake certificate against you being very low and the chance of the certificate that causes this warning being a legitimate certificate that was not created by a public-verified certificate authority, there’s no have to be concerned.
There’s no need to store unreliable certificates and there’s it’s not necessary to be subjected to warnings that aren’t relevant to your particular situation. Let’s take a look at how is possible in each of these cases.
What can you do?
The majority of certificates issued by legitimate sources must be authenticated and signed. In the rare event that you are not signed by a legitimate certificate (e.g. you made it yourself or your company uses it to connect internal networks) you’d or should know the source of the certificate since you participated in its creation or having a discussion with IT professionals can help clarify the matter.
Therefore, except if the application you’re running Android in a business environment (wherein you’ll need to check with your IT personnel to find out what’s going on with the certificate as it could be one that they designed) or you made the certificate by yourself The simplest solution is to simply press and hold on any certificates that are not recognized within the “user” category of the “trusted certificates” category and take them off (the remove button is on the bottom on the info pane). The more loose ends you can identify (especially on your certificate list) the more secure.
If you own a valid certificate that’s causing the error due to it being in the “user” list instead of the “system” list, you may (at risk and discretion) at your own risk) manually transfer this certificate out of the directory for users to the directory for the system. This isn’t a job to take lightly, so it is best to be sure that the certificate on the “user” list is safe because one of two reasons:) you made it or 2)) the IT personnel at your workplace verified that it’s one of their certificates, then you should not try to move it.
If you’re confident about the authenticity and security of the certificate engineer as well as an Android fan Sam Hobbs has a clear and concise guideline for manually transfer of your certificates as well as another programmer and lover Felix Ableitner offers an open-source program that can do the same without commands. If you do not have an urgent (and clearly understood) requirement for using the cert, we suggest against using it.