From the current fallout around DigiNotar (in short, a Root Certificate Authority that has been hacked, fake HTTPS certificates issued, MITM attacks very likely), there are some parts concerning Android (see yesterday's interim report in PDF):
- fraudulent certificates for *.android.com has been generated (which would include market.android.com)
- there may be other such fraudulent certificates signed by this CA in the wild (currently nobody knows for sure, one way or the other)
- this could happen to another CA in the future (Comodo had a similar problem a few months ago)
So, how do I remove a CA I no longer trust from my Android phone? (I have root and CM6 on my specific phone, if that's relevant)
Answer
Lookout Mobile has blogged about this due to the DigiNotar events, and provided some pretty good (read: lengthy) instructions which you can find here.
The gist of it is that you need to pull /system/etc/security/cacerts.bks and then remove the CAs from the store, then push the store back to the device and reboot. Their instructions require that you have Bouncy Castle (for decrypting the store), root access, and a working adb connection. I'm not sure if this applies to all versions of Android or not, but my guess would be that the location of the CA store hasn't changed in quite some time (if ever).
No comments:
Post a Comment