Trusted Credentials on Android: What Are They?

Here’s what trusted credentials are on Android and what happens if you clear the trusted credentials:

Trusted Credentials comprise a list of servers that have gone through a specific security approval process that is managed by Google. 

Android devices come preloaded with this list of servers, and that is why they are deemed safe. If you clear the credentials, security features might block websites and apps that need them.

So if you want to learn all about trusted credentials on Android, then this article is for you.

Let’s jump right in!

What Are Trusted Credentials on Android?

Trusted credentials are a handful of digital markers that verify when a web server is deemed safe to access. An unsecured web server is vulnerable to outside attacks, and it makes anyone communicating with it vulnerable as well. 

To prevent a lot of hacking, data theft, and other online problems, developers and publishers have worked together to come up with something of a standard for web security.

The credentials show that a website or web app you are trying to use is up to those standards and that the risk of attack through your connection is minimal.

How Does the Trusted Credential List Work on Android?

We’ll go over the process of getting approved for the list in a minute. Before that, we can talk about what the list does. Your Android device has this list of servers, and each has been vetted by Google. So, if you try to access any server on the list, your device assumes it is safe and allows communication.

If you try to access something that is not on the list, then you might have your activity blocked. It depends on what app you are using. Some third-party apps make use of the list while others don’t. 

But, if you try to communicate with a server that is not pre-approved as safe by Google, you might have trouble communicating, or you might see a warning sign.

What Are the Common Requirements to Get on the Trusted Credentials List?

In order to get on this accredited list, developers have to jump through a lot of hoops. They have to verify how they secure communication with their web server. They also have to keep up with certain coding requirements and specific protocols. 

When all of that is done, they can get approved on a master list. That list is then further reviewed by Google to determine what gets automatic approval to be on the master list on every Android device.

SSL Certificate

SSL stands for Secure Socket Layer. This is an open-source security protocol that helps to protect internet communication. The system has been around for decades, and it has proven one of the most effective ways to encrypt communications between servers and users for websites and web apps.

In simpler terms, it’s a very common layer of safety that is used to keep people from spying on you or attacking you when you load a website.

Developers have to go through multiple steps to get a key to use SSL. Once they have that key, it controls the secure communication between you and their website. If this key is missing, the website (or app) no longer qualifies for trusted credentials.

TLS

TLS stands for Transport Layer Security. It serves much of the same purpose of SSL. It’s an encryption protocol that protects your communication with web servers. 

You can think of TLS as the newer version of SSL. It’s increasingly more common among servers and developers, and it is officially endorsed by Google. 

A webserver with TLS encryption does not need SSL. TLS is sufficient to qualify for trusted credentials.

Certificate Authority

Ultimately, the Certificate Authority (CA) runs the list of trusted servers. It places the demands for encryption (such as requiring SSL or TLS keys). The purpose of the authority is to authenticate traffic and prove that communication is secure.

Aside from verifying encryption keys, the CA provides a list of developer requirements for any server that wants to be on the list. They are specific in nature and ultimately work to ensure that websites are worthy of trust. 

Servers have to be listed on the CA in order to be given trusted credentials in your default Android list.

What Happens If You Clear the Trusted Credentials on Android?

Now that you have a better idea of what all of these credentials are about, what happens when you clear them? You may have seen this as a recommendation in some cases.

The thing about the credentials is that they are used to verify websites and apps that you try to visit. If the credentials are missing, you will get a warning about that. 

Any app that uses automated security features might not allow you to communicate with a server that doesn’t have these credentials.

Basically, if you delete the preloaded list of credentials, a lot of stuff won’t work.

Despite that, some problems require these credentials to be cleared or reset. That happens if a credential is updated incorrectly or runs into a bug. 

After clearing the credentials, you would probably want to reset the list available from Android.

How Do You Clear the Trusted Credentials on Android?

Credentials are probably important, but everything in a phone could need to be altered at some point if you’re in a situation where troubleshooting demands that you clear credentials, it can be done. 

There are actually two different lists at play, and we’ll cover each of them. Keep in mind that the credentials primarily discussed so far mostly refer to the “individual credentials” listed below.

The storage listed first is referring to a completely different list. This list is built and maintained by your phone automatically. It doesn’t involve anything preloaded or specifically listed by Google. Instead, this list is just here to make things run a little faster and easier for the phone or tablet.

Trusted Credentials Storage

The first thing to consider is third-party credentials stored on your phone. This is not a preloaded list. Instead, whenever you communicate with a website, your phone goes through safety procedures. It then remembers that everything checked out so it can load the site a little faster and easier next time.

Sometimes, you need to reset this list because websites lost credentials, added them, or things otherwise changed and need an update. When you clear this list, your phone will go back through the checklist with every website and rebuild all of this information from scratch. Clearing this list should not negatively impact performance.

Here’s how you do it. Navigate to your settings and then Security & Location. You want the advanced option. There, you can find Encryption & Credentials. Tap the option to “clear” the credentials, and it will be done.

Individual Trusted Credentials

There are also the preloaded credentials that have been mentioned before. This is a list that is maintained by Google. 

Credentials on this list were passed through the CA and met every item on the checklist. Clearing these credentials can prevent things from loading and working correctly.

Because these are still on your phone, if you are determined (or a developer), you can add credentials as you see fit. You might later determine that you need to remove some of them. The process has to be done one at a time.

Here are the steps.

Go to your settings and then security. Look for “trusted credentials.” Once loaded, you can manually disable any credential you choose.

Why Should You Clear the Trusted Credentials on Android?

You have a good idea of how to take care of the credentials now, but why would you need to? What troubleshooting is really happening at this stage? The answer to that depends on which list you are clearing.

Stored credentials on the phone exist in a different location and serve a different purpose. They are primarily just a way for your phone to remember credentials that it checked at some point.

The individual credentials that are vetted by Google are a different matter. That list is stored on your phone, but maintaining and managing the list is more complicated and bears a greater impact on the functionality of your device.

Stored Trusted Credentials

There are two reasons to clear the list of saved credentials on your phone. The first is because they seem out of date. You might get a notification that you can’t load a certain website, even though you’re sure it is a safe site. This is usually a problem with the stored credentials list, and it’s fixed with a wipe.

The other reason is that you know something is stored incorrectly. If there is a site that you don’t think is safe stored in this list, you can remove it. It ensures that credentials are checked again to help mitigate any security concerns.

Individual Trusted Credentials

As for the preloaded credentials, that’s a completely different matter. Since this is done individually, your reasons would depend on the server you are disabling. If a particular site or app has given you trouble, you can disable the credentials in order to prevent it from loading on your phone.

More likely, if you are doing this, it is as a developer. You have made changes to your own server or are running tests, and it helps to activate and deactivate specific credentials.