Always Trust User Certs

For those in development, security research, and penetration testing, dissecting network traffic on Android devices is essential. Tools such as Burp Suite, Charles Proxy, and HTTP Toolkit depend on installing a custom Certificate Authority (CA) certificate on the device to make sense of HTTPS traffic. But with the arrival of Android 7.0 (Nougat), Google altered the default network security policy: apps stopped automatically trusting user-installed certificates.

Before, the only workaround involved decompiling the app, tweaking its AndroidManifest.xml to incorporate a personalized network_security_config that would trust user certificates, and then recompiling the whole thing. This method is a real pain, it invalidates the app’s signature, and it’s not practical for analyzing the entire system.

Always Trust User Certs is a potent Magisk and KernelSU module, designed to eliminate this problem immediately. It works by quietly inserting your user-installed certificates into the system’s trust store. This clever maneuver convinces the operating system and applications to recognize your custom Certificate Authority as a trusted root certificate, just like the ones that come pre-installed.

How It Works: Handling Conscrypt and Mainline

Android’s security framework has undergone considerable change. Initially, certificates were kept in the /system/etc/security/cacerts directory. But with Project Mainline and the Conscrypt module, Google started delivering security updates through the Play Store. This shift also meant relocating the certificate store to more dynamic locations, such as /apex/com.android.conscrypt/cacerts/.

This module is remarkably advanced, automating the handling of all these situations. Whether you’re using an older phone or the newest top-of-the-line model, the module intelligently identifies your Android version and checks for Mainline updates. This ensures the certificates are always installed properly.

Key technical capabilities include:

• Universal Logic determines whether to focus on the traditional system partition or the newer APEX mount points.
• Clean Injection works by transferring certificates from the User Store to the System Store during the boot process. This guarantees that the trust chain is in place before any applications begin executing.
• Auto-Cleanup: To avoid duplicate or “ghost” certificates, the module clears its overlaid certificates from the system store before copying the user’s current certificates. Consequently, when you delete a certificate from your User settings, it’s properly removed from the System store the next time you restart your computer.

For a deeper dive into the technical aspects of Android traffic interception, check out this blog post.

Key Features and Compatibility

This module is built for simplicity, designed to be installed and then forgotten. Once it’s up and running, it quietly takes care of your certificates.

• Broad Android Support: It runs smoothly on all versions, spanning from Android 7 to Android 16.
• Root Solution Agnostic: Works seamlessly with Magisk, KernelSU, and KernelSU Next.
• Multi-User Support: This module is designed to handle certificates seamlessly, even when you’re using Android’s “Multiple Users” feature or “Work Profiles.” It makes sure everything gets where it needs to go, no matter the profile.
• No more patching APKs with network_security_config just to intercept traffic.

Usage Instructions

This module is very easy to use because it uses the built-in Android Settings interface to manage certificates.

How to Install a Certificate

1. Move your Proxy/CA certificate—typically a .cer or .pem file—onto your device.
2. Navigate to Settings > Security > Encryption & Credentials > Install a certificate > CA certificate.
3. Install the certificate as a standard User certificate.
4. Restart your device.
5. When the module restarts, it will automatically transfer the certificate to the System store. You can confirm this by looking at the “Trusted Credentials” section within the system settings.

How to Remove a Certificate

1. Navigate to Settings > Security > Encryption & Credentials > Trusted Credentials > User.
2. Locate the certificate you want to get rid of and remove it.
3. Reboot your device.
4. The module will synchronize the stores upon startup, and it will also eliminate the certificate from the system level.

Evolution and Changelog

The module has seen consistent updates, ensuring it stays current with the swift evolution of Google’s Android file system.

• v1.3: Fixed particular mounting issues discovered in Android 14 and later, guaranteeing consistent performance on the newest Pixel devices.
• v1.2 brought automatic update capabilities, enabling the module to refresh itself through the Magisk/KSU manager.
• v1.1: We’ve refined how permissions are managed on devices that don’t use Conscrypt, which means older Android versions are now better supported. Plus, we’ve squashed some bugs that were preventing certificates from being deleted as they should.
• Version 1.0 marked a significant achievement: the introduction of complete support for Mainline/Conscrypt paths (APEX) and KernelSU.

This module is a must-have for anyone working in Android reverse engineering or privacy advocacy. It consolidates certificate stores, effectively giving users back control over their device’s trust anchors.

Download Link

Download Link

Module Info

• Module By
  TheDauntless
• Root Support
  Magisk KernelSU APatch
• Source View on GitHub/Source
• Latest Update 22 November 2025
• Word Counter 773
• Character Counter 6370

Always Trust User Certs is a Module that supports installation on Magisk, KernelSU, APATCH, KSUNext