What’s the Deal with Android’s Persistent “Network May Be Monitored” Warning?

The release of Android 4.4 KitKat brought a wide array of improvements included enhanced security. While the security might be tighter, the messages can still be a bit cryptic. What exactly does the persistent “Network May Be Monitored” warning mean, should you be concerned, and what can you do to get rid of it?

Dear How-To Geek,

I recently bought a new Android phone, and there’s been this new warning message that’s kind of freaking me out a little bit. It never popped up on my old Android phone and now it pops up every few days or whenever I restart the phone. The message that flashes in the status bar and then appears in the notification menu is, “Network May Be Monitored,” and then if I click on the warning shortcut in the notification menu it takes me to a system menu labeled, “Trusted credentials,” with two tabs. One is labeled “system” and one is labeled “user.” There are tons of items listed in the “system” tab and only one in the “user” tab. What’s weird is the one item listed in the user tab looks like a router name “netgear.”

I have no idea what any of this stuff is or why Android is telling me that my network may be monitored. Should I be as freaked out by this message as I am, and what can I do to make it go away? I’ve attached some screenshots in case I’ve done a poor job describing the problem.

Sincerely,

Paranoid Android

This kind of situation is exactly why we weren’t particularly fond of the implementation of credential handling in Android 4.4. Google’s heart was in the right place, but the way the update handled it (and warned the user) is inelegant at best and unsettling (to the uninitiated end user) at worst. Let’s take a look at what the warning message even is and what you can do about it.

The Source of the Warning

First, let’s explain why you’re getting this error message since Android gives next to zero useful feedback in this regard. Your phone maintains a list of trusted and user supplied security certificates. That long list of entries under “system” you found in the “Trusted credentials” menu is essentially just a big old white list of approved security certificate issuers that Google pre-seeded your Android phone with. Essentially your phone says “Oh, okay, these people are trustworthy, so we can trust security certificates issued by them.”

When a security certificate is added to your phone (either manually by you, maliciously by another user, or automatically by some service or site you’re using) and it is not issued by one of these pre-approved issuers, then Android’s security feature springs into action with the warning “Networks May Be Monitored.” Technically, that’s an accurate warning: if a malicious/compromised security certificate is installed on your device it is possible that traffic from your device can be monitored under certain circumstances. It’s also possible for a company or hotspot provider to use self-issued certificates on their own hardware for this purpose (although, typically, their motives are more benign).

Unfortunately the issued warning is needlessly scary and it’s unclear: if you don’t know what the deal with trusted credentials and security certificates is then the warning might as well be in binary.

A certificate doesn’t even have to be genuinely malicious to trigger the warnings, however, it just has to be issued/signed by an authority that isn’t listed in the trusted “system” list. This means if you signed your own certificate for some use (like setting up a secure connection to your home server) then Android will complain about it. It also means that if your company self-signs their certificates for in-house use and doesn’t pay for an officially signed certificate, you’ll also get a warning.

Finally, and we’re pretty sure this exactly what happened in your case, if you connect to a secure Wi-Fi network that is using a security certificate from an issuer that isn’t on the trusted list in your phone, you’ll get the error. Technically, as we mentioned above, the company could be using the self-signed certificate for malicious purposes but practically most of the time you run into this issue it will be cause 1) the company doesn’t want to pay the fees for a public certificate they use for private purposes and 2) they want total control over the certificate creation and signing process.

If you want to read more about the technical side of the warning (as well as how upset the new system for handling certificates has made more than a few people) you can check out these Android bug report threads [1, 2] and these two blog posts at GeekTaco [1, 2] discussing the issue in depth.

Should You Be Worried?

The warning is worded very seriously, and we hardly blame you for being a little freaked out. But should you actually be worried? In the vast majority of cases users seeing this error are not seeing it because someone has installed a malicious certificate on their machine, and they’re now in danger. The most typical reason is the one we outlined above: companies using self-signed certificates that aren’t listed in the system’s directory of trusted certificates because they were never issued by an authorized issuer.

Given the probability of someone using a malicious certificate against you being low and the probability of the certificate causing the warning to be a non-malicious certificate that just wasn’t created by a publicly verified certificate authority, you don’t need to panic.

That said, there’s no reason to keep unknown certificates around and no reason to endure warnings that don’t apply to your situation. Let’s look at what you can do in both scenarios.

What Can You Do?

The super majority of certificates from legitimate sources should be properly signed and verified. In the rare instances that you have an unsigned by valid certificate (e.g. you created it yourself or your company is using it for internal networks) you would either be aware of the origin of the certificate because you had a hand in making it or a conversation with the IT folks should clear things up.

So unless you’re using Android in a corporate environment (wherein you should check with your IT guys to see what the deal is with the certificate because it might be one they created) or you created the certificate yourself, the easiest solution is just to press and hold on any unknown certificates found in the “user” category of the “trusted certificates” category and delete them (the removal button is located at the bottom of the information pane). The less unidentified loose ends (especially in your certificates list) the better.

If you have a legitimate certificate that is throwing up the error because it’s in the “user” list instead of the “system” list, you can (at your own discretion and risk) manually move the certificate from the user list/directory to the system list/directory. This is not a task to be undertaken lightly so if you are not completely confident that the certificate in the “user” list is safe because either 1) you created it or 2) the IT staff at your company verified that it’s one of their certificates, you should not attempt a move.

If you are confident in the security and origin of the certificate, engineer and Android enthusiast Sam Hobbs has a clearly written instruction guide for manually moving your certificates and another programmer and enthusiast Felix Ableitner has an open-source application that performs the same task without the command line work. Again, unless you have a pressing (and well understood) need to the certificate, we recommend against it.


Have a pressing tech question? Shoot us an email at ask@howtogeek.com and we’ll do our best to answer it.

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.