Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

4.4 OTA breaks certificate-based authentication support

OP ek001

20th November 2013, 06:39 AM   |  #1  
OP Junior Member
Thanks Meter: 0
 
15 posts
Join Date:Joined: Jul 2012
Just upgraded my device to OTA 4.4 and Exchange services crashed every time I opened Email (I kept getting a message "Unfortunately Exchange Services stopped" repeatedly).

After deleting both the email account and the user certificate (we use certificate-based email authentication), I am unable to re-add the Exchange account back (after defining all credentials and parameters, I get a popup that says "Couldn't finish. Can't connect to server."). Additionally, I see a white triangle with an exclamation point inside in the notification bar. When I pull the bar down, the exclamation bar has a caption of "Network may be monitored by an unknown third party". When I click on that caption, I get a new pop-up saying "Network monitoring. A third party is capable of monitoring your network activity, including emails, apps and secure web sites. A trusted credential installed on your device is making this possible". There is a button underneath called "Check trusted credentials" and clicking on that takes me to a "user" portion of the trusted credentials store, where I see my corporate CA certificates.

In general, the issue of certificates issued by a non-public CA generating a "Network may be monitored" message has already been documented in several forums and there is an issue #62076 created for it. However, I suspect that "security features" introduced in KitKat are somehow preventing my device from using my certificate for email authentication (because device does not trust it). I knew I could count on Google to break the most used feature of my phone (email) and thus render it useless. Another win for the history books.
20th November 2013, 07:30 AM   |  #2  
Senior Member
Flag Milpitas
Thanks Meter: 31
 
205 posts
Join Date:Joined: Jul 2010
More
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
23rd November 2013, 06:10 PM   |  #3  
OP Junior Member
Thanks Meter: 0
 
15 posts
Join Date:Joined: Jul 2012
Quote:
Originally Posted by aldouse

had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work

I already tried that twice. No joy.

The most annoying part is that I also have a Nexus 10 tablet and it had ZERO problems after upgrading to KitKat (aside from the annoying "your network is being monitored" notification). This means Motorola yet again mucked with the stock Android install and broke it.

Any other ideas? I'd hate to go through a pain of reverting back to 4.3.
23rd November 2013, 06:15 PM   |  #4  
Account currently disabled
Thanks Meter: 1,765
 
2,366 posts
Join Date:Joined: Jul 2012
More
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.

Sent from my XT1060 using Tapatalk
24th November 2013, 07:23 AM   |  #5  
OP Junior Member
Thanks Meter: 0
 
15 posts
Join Date:Joined: Jul 2012
So....here is what the issue is: https://code.google.com/p/android/is...etail?id=61785

Looks like quite a lot of people are affected by this. I cant believe how sloppy Google's QA is if something as major as this was pushed out of the door.

Now I need to wait for Motorola to incorporate this fix into their build of Android, then for Verizon to "test" it and roll it out via another OTA update. In the mean time, my Moto X is as good as a brick because I cant get my corporate email/contacts/calendar on it.

Ridiculous!
Last edited by ek001; 29th November 2013 at 06:49 PM.
24th November 2013, 02:46 PM   |  #6  
Senior Member
Flag Austin, Tx
Thanks Meter: 42
 
855 posts
Join Date:Joined: Feb 2011
More
Use another client

Touchdown is my client of choice and it works great with kit Kat

Sent from my XT1058 using Tapatalk
24th November 2013, 06:01 PM   |  #7  
kirdroid's Avatar
Senior Member
Seattle
Thanks Meter: 319
 
2,217 posts
Join Date:Joined: Feb 2011
More
Quote:
Originally Posted by mj0528

Use another client

Touchdown is my client of choice and it works great with kit Kat

Sent from my XT1058 using Tapatalk

+1 for touchdown... Worth the money if you rely on exchange email.

Sent from my XT1053 using Tapatalk
27th November 2013, 06:04 PM   |  #8  
Member
Thanks Meter: 1
 
37 posts
Join Date:Joined: Jul 2003
Question Network security warning cleared also
Quote:
Originally Posted by 1ManWolfePack

It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.

Can you clarify 'work' - I assume this means it is sync'ing - do you still have the security warning about the certificate, or did this get cleared in your reboot/re-install cycles ?

Thanks
29th November 2013, 06:44 PM   |  #9  
OP Junior Member
Thanks Meter: 0
 
15 posts
Join Date:Joined: Jul 2012
Just wanted to update everyone - Google has stated that the issue is fixed "in a future release". One "minor" problem - there is zero information as to which release, as well as when it is going to be rolled out.

So....as of now thousands of people using private certs on Kitkat devices are still screwed and this number is growing by the day. In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
29th November 2013, 06:48 PM   |  #10  
Senior Member
Thanks Meter: 64
 
187 posts
Join Date:Joined: Feb 2010
Quote:
Originally Posted by ek001

In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.

If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes