Why does Stoat for Android bundle CA certificates?

Stoat for Android comes with a set of bundled CA (Certificate Authority) certificates.

This is mostly due to the fact that Cloudflare — one of the major CDN providers used by Stoat — issues CA certificates which are not included in Android’s system CA store. By bundling our own CA certificates, we ensure that Stoat for Android can always connect to Stoat’s servers regardless.

This should not have security implications, as the bundled CA certificates are only trusted when connecting to the domain stoatusercontent.com and subdomains thereof. For all other connections, Stoat uses the system CA store provided by Android.

What certificates are bundled?

The bundled CA certificates are the following:

Why not use the system CA store?

Google rejects those certificates from their system CA store due to unclear reasons. As a result, if we were to use the system CA store, Stoat for Android would not be able to connect to Stoat’s content delivery network (CDN) at all, rendering the app bare as it would not be able to load any images or other media.