What happens if one of system CA certificate got expired (GlobalSign Root CA - R2 gonna expire in 2021) in Android? How I can update to latest root CA in my android phone(user-build that never receives any OTA), if one got expired?
You can use Google Play Services to update the devices Root-CAs and other security relevant issues.
https://developers.google.com/android/reference/com/google/android/gms/security/ProviderInstaller
try {
ProviderInstaller.installIfNeeded(this);
} catch (GooglePlayServicesRepairableException e) {
GoogleApiAvailability.getInstance().showErrorNotification(this, e.getConnectionStatusCode());
} catch (GooglePlayServicesNotAvailableException e) {
}
The required class should be provided with the GooglePlayServices-Base artifact:
dependencies {
implementation 'com.google.android.gms:play-services-base:17.1.0'
}
See this article for more details.