It stops people who have root certificates installed on their phone (e.g. the Facebook research app from a couple weeks ago) from being able to monitor traffic.
But it also allows that very same app to smuggle all kinds of tracking data to facebook without the developers having to worry that anyone would catch it doing so.
Also, we already have several systems to manage app access to things that could potentially be misused. Why not manage user certificates the same way?
E.g., pop up a consent prompt before letting an app install anything - or, if that is too annoying, don't give apps access to the functionality at all and exclusively manage certificates via the system UI.
> It stops people who have root certificates installed on their phone... [emphasis mine]
Indeed. That's my point. I'd consider this a bug, not a feature.
