There doesn't seem to be a central Android resource that lists the Trusted Root CAs included in the OS or default browser (related question on SO), so how can I find out which are included on my phone by default?
With the number of root certificates that have been compromised, and the number of fraudulent SSL certs created over the last couple of years, this is an issue for anyone relying on SSL for security, as otherwise you won't know if you want to remove any trusted CAs.
(not listing my manufacturer or OS version as I'm looking for a generic resource or solution that should be applicable to any device)
Answer
On ICS or later you can check this in your settings. Go to Settings->Security->Trusted Credentials to see a list of all your trusted CAs, separated by whether they were included with the system or installed by the user.
Earlier versions of Android keep their certs under /system/etc/security in an encrypted bundle named cacerts.bks which you can extract using Bouncy Castle and the keytool program. The summary is to first pull the bundle using adb (you need a root shell) then you can use Bouncy Castle to list the contents of the bundle:
shell~$ adb pull /system/etc/security/cacerts.bks`
shell~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list
There's also at least one app that you can try if you'd prefer not to use the shell: CACertMan (requires root to modify the list, but should allow you to view the list without root). I believe it came about due to the DigiNotar fiasco since there were no particularly easy ways for a user to revoke the cert at the time. Since the certs are stored differently on ICS and later this app will only work on devices running Gingerbread (or earlier), but it is obsolete on ICS/JB anyway.
No comments:
Post a Comment