the PR is here - https://github.com/wootzapp/wootz-browser/pull/373.
I’ve been deep in the weeds on our browser, and we just merged something that felt worth sharing with this community.
We got Android’s hardware keystore (TEE / StrongBox) working end-to-end so that client certificates are truly non-exportable. The device generates the key inside the secure enclave, we enroll it, issue a device identity cert, and from then on the browser can only present that cert for mTLS handshakes. No chance of stealing or exporting the private key.
The idea is simple: if you want to enforce zero-trust access at the browser level, you need strong device identity. Passwords and tokens leak, but hardware-backed certs with attestation give you a much higher bar. We had to solve for Android quirks, avoid the trap of server-supplied keys, and make sure auto-selection doesn’t leak certs to the wrong sites.
It’s live in our Wootz.app browser