Update 1/26/2015 - Google has refused to take this issue seriously. They have closed several bugs posted on the Android bug tracker. Fortunately, there are some other people out there that agree that the current implementation is broken. Unfortunately, Google doesn't seem to think that it is worth fixing. Since I know a lot of people find this page while looking for information on this annoying warning, I would encourage you to go to the current bug on the Android bug tracker, and star it to show Google that you want this resolved! Perhaps if enough of us star it, Google will start to pay attention. You can find the current open bug here.
Let me start by making the disclaimer that these observations are based on an AOSP build of Android KitKat on a Galaxy Nexus. (My Nexus 5 isn't due for two more days.) However, things like this that exist in AOSP tend to also exist in the release builds.
Along with all of the great new features in KitKat, Google has introduced what is probably the WORST security hole possible. A ham-fisted implementation of certificate pinning.
Certificate pinning itself is a good idea. It verifies that when you visit a web site, it provides you with the same certificate every time. In general, certificates shouldn't be changing on web sites, and if one does you should be made aware of it.
So, how could certificate pinning be a security hole then? By creating a situation where a harmless certificate creates a scary, and unnecessary, warning message. When you install any certificate in to the key store, you get a warning icon in the bar at the top of the screen. Pulling down the shade presents the following screen :
Let's consider the average user at this point. Given the revelations about all of the snooping by various governments, it seems that a warning like this would make uninformed users very concerned. (And, lets face it, there are very few informed users when it comes to 802.1X on Android.) But, okay, maybe I am freaking out over nothing. What happens when we tap the warning?
Hmm... Maybe not. So, the assumption that an uninformed user is to draw based on this is that having any form of third party "trusted credential" installed means that a 3rd party will probably be monitoring my traffic.
I'm going to skip over the obvious irony here that something from Google is warning me that a 3rd party might be monitoring the web sites I visit, and reading my e-mail. (If the irony is lost on you, you may want to do some research.)
Google seems to be trying to argue that the only safe type of certificate is one that comes pre-installed on your device. Which is a downright silly argument no matter how you slice it. But, lets go ahead and let that one slide. Being the security minded individual that I am, I make sure that all of my network connections are as secure as possible. So, I make the (probably bad) assumption that purchasing a certificate for my RADIUS server from a public CA will provide me what I need in order to have a secure wireless network.
Once I get the network setup, I try to connect my Android device to the network. Now, being that we have paid even a little attention to the security issues around wireless networks, we know that we need to validate the server certificate in order to have a secure connection. No problem, we purchased from a public CA, so we will just select that in the configuration settings. But, you can't. The pre-installed certificates on Android can't be used with 802.1X authentication. Okay, no problem. I'll just install the CA certificate on my device and then use that. Oh, what is this scary message?
Now, those of us that understand the meaning of this message will just dismiss it. But, let's assume that you aren't a techno savvy individual that has enough time to spend learning about security. This warning is going to freak you out! If this conversation hasn't happened on a message board yet, it will soon :
"Hey, I got the upgrade to KitKat, and it is great! But, now I get this warning saying that someone is monitoring my network connection! How do I make that go away!? I don't want someone monitoring my network connection!"
"Getting rid of that warning is easy. Go to Settings->Security->Clear credentials. After that, the warning will go away."
"Thanks! The warning is gone. But now I can't connect to my wifi network! HELP!"
"Not a problem. Go in to the configuration for your wifi network and change the 'CA certificate' setting to '(undefined)'. Problem solved!"
"Perfect! That solved my problem! Thanks!"
And somehow Google either didn't consider this case, or they really want to decrease the security of wireless networks.
Anyway, if you happen across this post while looking for how to make this scary looking warning go away, and you use a secure wifi network, please just swipe the warning out of the shade. It is really nothing to worry about. (I'll do a follow-up post in the next week or so about how authentication on wifi works and why you should care.)
Edit 11/26/2013 : A coworker pointed out that my blog post was referenced in a bug posted to the Android bug tracker. The same bug post had a response from someone using an @android.com e-mail address outlining why this issue isn't a problem. I tested their solutions and wrote about it here.