+1 for an implementation of certificate pinning.
I definitely agree that importing your own CA into Android would be the ideal solution, that is in fact what I’ve done for myself, but that just isn’t feasible for the average user.
First of all, going through the procedure of importing the certificate is not something that I can explain to my average family member; so I’ll have to do it for them.
This isn’t your fault but an Android implementation clusterfuck, but I can’t explain to them that because of “this new calendar thingy” they suddenly can’t use their pattern unlock anymore but have to use a pincode instead.
Also an implementation clusterfuck, as if Google is receiving a fat pile of money from the large certificate authorities to make it as unattractive as possible to import custom ones, importing a custom CA causes a “An unknown party is capable of monitoring your internet connection” warning to be displayed at startup and added to the notification area permanently. Can’t explain that one either.
These things make davdroid unsuitable for anyone but power users, while I’d love to be able to recommend it to all of my friends and family.
And, as someone has said earlier, depending on your paranoia level a certificate pinning system might be even more secure than importing your CA: if you do the latter, any of Android’s 100 trusted CA’s that you’ve never even heard of can still generate a valid certificate for your domain which would probably go completely unnoticed; while pinning would alert you about it/prevent it.