Our savings account is held with Nationwide, a UK building society. I've had an account with them for a long time, and I'm generally happy with their services. However, about a week ago I ran into an issue with their android banking app - when I opened the app I got a security error instead of a login page.

Luckily, it only took a phone call to customer services and a trip into town to reset my online account for me to remember that a few weeks back I went through the big list of CAs that android trusts by default, and turned most of them off. (This probably counts as paranoia, as I imagine that government scale naughty people can get their CA trusted without it being listed.)

The certificate for Nationwide's home page is signed by"SSL Corporation", but enabling them in the list didn't help. A closer look at the certificate suggested adding "Entrust Inc." to the permitted list, and yup, the app is working again.

Thoughts

Nationwide are using different CAs for their webpage and their app. I was lucky the two CAs were related enough that I could find the connection, else I would need to either do some kind of search through the installed CAs (by turning them on and off until I found a match), or give up on Nationwide and pick a new savings provider.

I didn't look very hard, but I couldn't find anything through Google that looked like it would tell me which CA the Nationwide app trusts. I didn't bother asking Nationwide customer support, I don't imagine that question would be fun for anyone.

More broadly, banks (and retail in general) don't seem setup to help customers check the CA being used is the right one.

Since the Nationwide app only works if the system CA is enabled, it's likely that the app doesn't have it's own CA, and so can probably be spoofed with a proxy and a user installed CA (or a naughty system CA).