Android 13 was released in August 2022, not yesterday, but on the other hand not so long ago.

Why is this relevant?

With Android 14 google started updating the root certificates¹ with updates to its “play” services², prior to that they were only updated with full system updates and while now you can count on such updates for multiple years that used to be very different.

This is a problem for apps running on older devices that need to access resources on the Internet with encrypted connections (that is with https) as not only can such a resource change its certificate provider and potentially by doing that change the relevant certificate authority, certificates can expire or otherwise be invalidated. If that happens the resource is essentially unusable without an update to the certificate authorities.

This is not a new problem, particularly for Vespucci³ as we support devices going back to Android 5 and without the app bringing its own copy of the relevant root certificate for Let’s Encrypt⁴ along, you wouldn’t have been able to access openstreetmap.org for years on old phones.

So it shouldn’t have been a surprise when on last Saturday an issue was opened complaining that the Polish governments geoportal was erroring⁵, but what issues users report is not always straight forward, and this was likely the first “important” source that ran in to the problem.

Now there is a quick fix and that is that the user installs the relevant certificates on their device themselves, this requires that the relevant app trusts user installed certificates and I’ve enabled that on V21.2.4 that is being distributed now. What the situation is with this configuration with other apps is unclear.

Asking a user to install a certificate themselves is rather high friction and something that I would like to avoid if possible, the alternative to it is to add further certificates to the app itself. This is not something anybody really wants to do, as on the one hand these certificates can become invalid just as the systems ones, and on the other hand this requires additional work to determine which certificates to provide and is just a general PITA (sorry for the language).

But the first order of the day is to determine what the full extent of the issue is which I did by creating a test that loops over all sources in the Editor Layer Index⁶ and then running it on a selection of Android emulators for Android 13, 9, 7,1 and 7 (7 because this is the oldest version Ilya supports in everydoor⁷). The results⁸ show that this is a limited issue back to 7.1 and then starts getting quite a bit larger, but as noted in the github issue we can largely resolve it back to 7.1 with a small number of additional certificates for now. This will be available in V22 and likely backported to the next maintenance release of V21.

The situation will degrade further over time and if you find a source that is potentially showing the problems use Vespuccis Test function⁹ on the layer or the equivalent in the app you are using to determine if this is really due to a missing/unknown root certificate. You should always be able to workaround the issue yourself by install the certificate on the device.

1. https://en.wikipedia.org/wiki/Root_certificate ↩

2. De-googled devices and 3rd party Android versions are out of scope for this discussion. ↩

3. https://vespucci.io/ ↩

4. https://en.wikipedia.org/wiki/Let%27s_Encrypt ↩

5. https://github.com/MarcusWolschon/osmeditor4android/issues/3144 ↩

6. https://github.com/osmlab/editor-layer-index ↩

7. https://en.osm.town/deck/@simon/116198808610759728 ↩

8. https://github.com/MarcusWolschon/osmeditor4android/issues/3149 ↩

9. https://vespucci.io/help/en/Main%20map%20display/#layer-control ↩