How to delete security certificates

Contact Us

Removing Trusted Certificates from Android

In light of all the discussions about maintaining a secure posture on trusted certificates, we oftentimes forget about the little guys. In this case, I’m talking about our mobile devices. We tend to forget that these devices are just as vulnerable as our desktop/laptops. Unfortunately, it’s not always easy to manage the certificates on these devices. But if you own an Android device and would like to take a little more control over what your device is trusting, here’s how you can do it.

Remove a CA Cert from Android System

The bouncycastle library will be required, you can grab it here:

You’ll need the Android-SDK as well in order to utilize ADB. It can be found here if you don’t already have it:

  1. Move the jar into the $JAVA_HOME%\lib\ext folder. It’s most likely in a place like this:
  • Connect your USB cable to your phone and verify with adb that it is seen as attached. [%android-sdk% is the location of the Android SDK installed on your system]
  • You’ll need to grab the cacerts.bks file from your phone using adb:
  • Now let’s extract the cacerts.bks to a human readable format (there are other ways of reading bks files, but this is an easy route)
  • Open the newly created calist.txt file and search for the desired CA Cert

    ( DigiNotar CA in our case). You’ll want to identify the alias name number. You’ll use this to identify the certificate so that you can remove it with keytool.exe:

    For example:

    You’ll probably want to repeat this process for the Comodo certificates as well if you’re really security minded (of course you are).

  • Once you’ve removed the certificate you can push the cacerts.bks back to your phone for usage:
  • The final step will require you to reboot your phone so that Android can reload the cacerts.bks.
  • Enjoy!
  • If you have root access and don’t feel like going through ADB and all the SDK installation, the GuardianProject has created an Android app (CACertMan ) that is targeted at doing the above for you and letting you manage your certs yourself. You can check it out here. It is still in beta and isn’t 100% compatible yet, hence the manual instructions above.

    Related Posts:

    • OpenVPN on Android OpenVPN isn’t anything new. But today I finally overcame a…
    • Android Improving Platform Fragmentation A little bird was heard saying that Google is finally…
    • Certification Authorities Behaving Badly edited September 2 with an update on Apple/Safari. Another case…
    • Google Authenticator Weaknesses Earlier this year, we submitted a bug to Google for the Google…
    • Smartphone Malware in the Wild Back in August, my colleague Tim Donaworth posted about security…


    Category: Insurance

    Similar articles: