On iOS it's shockingly easy to subvert your HTTPS privacy for years after you've let someone borrow your phone for five minutes.

I would love the option to actually trust CA certificates I install (especially Firefox, a fucking web browser, doesn't even opt into user certificates without a secret tap combo and hidden settings), but I don't think this feature is important enough for the dozens of techies using them day to day considering the risk to every other Android user on the planet.

In this case there's no evil Google conspiracy to thwart the plans of your local IT department, this is just a side effect of Google's excellent sandboxing improvement and long overdue CA store update mechanism.

I'm sure Magisk modules will appear to work around this problem. The existing Magisk modules will be broken for a while but that's par for the course after major Android updates. I'll write a module myself if I have to.

> On iOS it's shockingly easy to subvert your HTTPS privacy for years after you've let someone borrow your phone for five minutes.

You need a passcode to install certificates. And people casually handing over their phones would be a much bigger problem if that really is widespread behavior.

Second, can we stop using "techies" as some kind of magic word to make any technical concerns go away?

Firefox uses it's own CA store and installing your own is trivial. Ever tried to just open URL with your cert? The ui for certs isn't nice, but you can still view them in 'about:certificate'

Installing into system store and then configuring Firefox to use system store is the hard way, on all supported systems.

Not on Firefox for Android, it just makes me download the file. You can do it of course; just go to Settings > About Firefox > Tap the Firefox logo seven times > Go back > Secret Settings > Toggle "Use third party CA certificates".

about:certificate shows me a bunch of buttons to export certificates, but there's no disabling or importing from that screen.

That's... interesting. I did import my ca cert exactly this way, so they must have changed it... bummer.

In the about:certificate I can see the ca cert that was imported this way and inspect it.

In my opinion, Firefox shouldn't need to keep a separate store for user imported certificates at all. The operating system already has this built in, with a dedicated API to listing and importing these certificates, and Firefox actually uses that if you use the secret setting to enable it (not in about:config, you're not allowed to touch about:config unless you run Beta or Nightly).

I think Firefox tries to be simple and easy like Chrome is, but just fails to in edge cases. I still can't paste an IPv6 IP address (i.e. http://[2000::5677]/) into the address bar and just visit it like I can on every other browser I've tried, and to me that's indicative of Mozilla's struggles to keep up with the mobile browser market.