Removing Trusted Certificates from Android
In light of all the discussions about maintaining a secure posture on trusted certificates, we oftentimes forget about the little guys. In this case, I’m talking about our mobile devices. We tend to forget that these devices are just as vulnerable as our desktop/laptops. Unfortunately, it’s not always easy to manage the certificates on these devices. But if you own an Android device and would like to take a little more control over what your device is trusting, here’s how you can do it.
Remove a CA Cert from Android System
The bouncycastle library will be required, you can grab it here:
You’ll need the Android-SDK as well in order to utilize ADB. It can be found here if you don’t already have it:
- Move the jar into the $JAVA_HOME%\lib\ext folder. It’s most likely in a place like this:
( DigiNotar CA in our case). You’ll want to identify the alias name number. You’ll use this to identify the certificate so that you can remove it with keytool.exe:
You’ll probably want to repeat this process for the Comodo certificates as well if you’re really security minded (of course you are).
If you have root access and don’t feel like going through ADB and all the SDK installation, the GuardianProject has created an Android app (CACertMan ) that is targeted at doing the above for you and letting you manage your certs yourself. You can check it out here. It is still in beta and isn’t 100% compatible yet, hence the manual instructions above.
- OpenVPN on Android OpenVPN isn’t anything new. But today I finally overcame a…
- Android Improving Platform Fragmentation A little bird was heard saying that Google is finally…
- Certification Authorities Behaving Badly edited September 2 with an update on Apple/Safari. Another case…
- Google Authenticator Weaknesses Earlier this year, we submitted a bug to Google for the Google…
- Smartphone Malware in the Wild Back in August, my colleague Tim Donaworth posted about security…