I was kind of believing that most apps would use certificate pinning anyway, so I was kinda surprised manipulating the system store is actually workable.
Though if modifying the system store is indeed officially "unsupported" my guess is it's only a matter of time before CT is enforced by the standard Android TLS API and will apply to apps as well.
In which case I guess the next step would be... Add a fake CT log in addition to the fake root CA?
But anyway, stuff like this confirms my impression that Android sides with app developers more than it sides with users when it comes to analysing traffic of your own devices.
Certificate pinning is a big problem for corporate environments: large companies install CA certificates in their endpoints to allow centralized traffic inspection. Apps that enforce certificate pining cannot operate properly in these networks.
It can be a desired function sometimes (e.g., a bank that wants to protect its customers) but in most situations it comes back at their face (i.e., bank customer wants to manage his bank account from his work office).
About your conclusion, I fully agree with you. It is not about protecting users but about protecting Google. Let's not ignore the other fact that Chrome started hiding some requests from its Network panel (e.g., CORS) for "our own good", which makes network-layer inspection even more necessary.
Though if modifying the system store is indeed officially "unsupported" my guess is it's only a matter of time before CT is enforced by the standard Android TLS API and will apply to apps as well.
In which case I guess the next step would be... Add a fake CT log in addition to the fake root CA?
But anyway, stuff like this confirms my impression that Android sides with app developers more than it sides with users when it comes to analysing traffic of your own devices.