A certificate authority (CA) is needed to solve the key distribution problem in regular network clients, such as web browsers, IM, and e-mail clients. They need to communicate with many servers, which the application developers have no prior knowledge of. As we have discussed in the previous recipes, it's common to know the backend servers or services your app is communicating with, and so it is advisable to restrict the other CA roots.

Android currently trusts around 130 CAs, varying slightly between manufacturers and versions. It also restricts other CA roots and enhances the security of the connection. If one of these CAs were to be compromised, an attacker could use the compromised CA's root certificate to sign and issue new certificates ...