Why is Android on so many phones

The lock symbol or the small "s" after "http" at the beginning of website addresses is now familiar to everyone who is on the Internet. The letter stands for "secure" and indicates that the connection between the end device and the user's browser up to the website server is encrypted. For example, criminals cannot read and access personal data in online forms.

Websites that want this "s" as a security feature must meet certain criteria. If you achieve this, you will receive a corresponding certificate. The certificates are issued by various providers, who in turn are authorized by a superordinate body, the Certificate Authority Security Counsel (CASC).

The certificate provider Let's Encrypt (in German: Let's Encrypt) is now causing headaches among the supervisory board and causing excitement on the web: Because one of the certificates that Let's Encrypt uses will expire in January and the provider will no longer renew it, but replace it with a new one owners of older Android smartphones will no longer be able to simply access many websites. Because old versions of the Google operating system do not support the new Let's Encrypt certificate.

Millions of warnings

Starting next year, these users will see a warning that the websites they have accessed are not secure. This error message can be clicked away, but many will not. After all, who wants to be on unsafe-looking websites? And these warnings will be seen millions of times, the old Let's Encrypt certificate is very popular. Website owners like it because, unlike many others, it's free.

Android devices with a version older than 7.1.1 are affected by the exchange of certificates. Android 7, christened "Nougat" by Google, saw the light of day in August 2016, the first update followed in October 2016. These phones are just four years old. And they are still common: In September 2020 around nine percent of all Android devices were still running with "Nougat". Together with even older versions, around 25 percent of all Android devices are too old for the new certificates. Based on Google's own statement of 2.5 billion active Android systems worldwide, that would be a good 600 million smartphones and tablets that are made almost unusable by the Let's Encrypt decision.

Now Google regularly releases new Android versions, but on the one hand these are not always compatible with older devices. On the other hand, the mobile phone manufacturers do not always pass the updates on to their customers, even if it were possible. Because they make good money when people buy a new cell phone every two years.

Let's Encrypt recommends installing the Firefox browser on the smartphone for the problem we created ourselves. Because this already provides the new certificate. However, this strategy only works for websites in the browser, but not for apps. These would still need an Android update.

Update: On December 21st In 2020 Let's Encrypt announced in a blog post that the original plan to expire the certificate from January would no longer be adhered to. A new certificate has been developed that is also compatible with older Android versions.