All SSL connections rely on a chain of trust. This chain of trust, a part of PKI, is established by certificate authorities (CAs), which serve as trust anchors to verify the validity of who a device thinks it is talking to. However, there are literally hundreds of CAs installed by default on your smartphone, some of which have cause for concern in their inclusion. In this report we do a deep dive from the perspective of Android, with comparisons drawn to iOS, to examine the CAs that come preloaded on these devices and the details about them.
more here............https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/
more here............https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/