Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,771,756 Members 41,004 Now Online
XDA Developers Android and Mobile Development Forum

4.4 OTA breaks certificate-based authentication support

Tip us?
 
ek001
Old
#1  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Jul 2012
Default 4.4 OTA breaks certificate-based authentication support

Just upgraded my device to OTA 4.4 and Exchange services crashed every time I opened Email (I kept getting a message "Unfortunately Exchange Services stopped" repeatedly).

After deleting both the email account and the user certificate (we use certificate-based email authentication), I am unable to re-add the Exchange account back (after defining all credentials and parameters, I get a popup that says "Couldn't finish. Can't connect to server."). Additionally, I see a white triangle with an exclamation point inside in the notification bar. When I pull the bar down, the exclamation bar has a caption of "Network may be monitored by an unknown third party". When I click on that caption, I get a new pop-up saying "Network monitoring. A third party is capable of monitoring your network activity, including emails, apps and secure web sites. A trusted credential installed on your device is making this possible". There is a button underneath called "Check trusted credentials" and clicking on that takes me to a "user" portion of the trusted credentials store, where I see my corporate CA certificates.

In general, the issue of certificates issued by a non-public CA generating a "Network may be monitored" message has already been documented in several forums and there is an issue #62076 created for it. However, I suspect that "security features" introduced in KitKat are somehow preventing my device from using my certificate for email authentication (because device does not trust it). I knew I could count on Google to break the most used feature of my phone (email) and thus render it useless. Another win for the history books.
 
aldouse
Old
#2  
Senior Member
Thanks Meter 27
Posts: 185
Join Date: Jul 2010
Location: Milpitas
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
002photography.com

current: Galaxy Note 3

past: Moto-X/HTC One/iPhone 5/iPhone 4s/Galaxy Note 2/Galaxy S3/Galaxy Nexus/Galaxy S2/Nexus S4/HTC Evo Shift/HTC Evo
 
ek001
Old
#3  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Jul 2012
Quote:
Originally Posted by aldouse View Post
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
I already tried that twice. No joy.

The most annoying part is that I also have a Nexus 10 tablet and it had ZERO problems after upgrading to KitKat (aside from the annoying "your network is being monitored" notification). This means Motorola yet again mucked with the stock Android install and broke it.

Any other ideas? I'd hate to go through a pain of reverting back to 4.3.
 
1ManWolfePack
Old
#4  
Account currently disabled
Thanks Meter 1762
Posts: 2,366
Join Date: Jul 2012
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.

Sent from my XT1060 using Tapatalk
 
ek001
Old
(Last edited by ek001; 29th November 2013 at 05:49 PM.)
#5  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Jul 2012
So....here is what the issue is: https://code.google.com/p/android/is...etail?id=61785

Looks like quite a lot of people are affected by this. I cant believe how sloppy Google's QA is if something as major as this was pushed out of the door.

Now I need to wait for Motorola to incorporate this fix into their build of Android, then for Verizon to "test" it and roll it out via another OTA update. In the mean time, my Moto X is as good as a brick because I cant get my corporate email/contacts/calendar on it.

Ridiculous!
 
mj0528
Old
#6  
Senior Member
Thanks Meter 42
Posts: 855
Join Date: Feb 2011
Location: Austin, Tx
Use another client

Touchdown is my client of choice and it works great with kit Kat

Sent from my XT1058 using Tapatalk
 
kirdroid
Old
#7  
kirdroid's Avatar
Senior Member
Thanks Meter 310
Posts: 2,196
Join Date: Feb 2011
Location: Seattle
Quote:
Originally Posted by mj0528 View Post
Use another client

Touchdown is my client of choice and it works great with kit Kat

Sent from my XT1058 using Tapatalk
+1 for touchdown... Worth the money if you rely on exchange email.

Sent from my XT1053 using Tapatalk
 
nigebj
Old
#8  
Member
Thanks Meter 1
Posts: 37
Join Date: Jul 2003
Question Network security warning cleared also

Quote:
Originally Posted by 1ManWolfePack View Post
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.
Can you clarify 'work' - I assume this means it is sync'ing - do you still have the security warning about the certificate, or did this get cleared in your reboot/re-install cycles ?

Thanks
 
ek001
Old
#9  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Jul 2012
Just wanted to update everyone - Google has stated that the issue is fixed "in a future release". One "minor" problem - there is zero information as to which release, as well as when it is going to be rolled out.

So....as of now thousands of people using private certs on Kitkat devices are still screwed and this number is growing by the day. In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
 
binary visions
Old
#10  
Senior Member
Thanks Meter 64
Posts: 186
Join Date: Feb 2010
Quote:
Originally Posted by ek001 View Post
In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes