Removing Trusted Certificates from Android
In light of all the discussions about maintaining a secure posture on trusted certificates, we oftentimes forget about the little guys. In this case, I’m talking about our mobile devices. We tend to forget that these devices are just as vulnerable as our desktop/laptops. Unfortunately, it’s not always easy to manage the certificates on these devices. But if you own an Android device and would like to take a little more control over what your device is trusting, here’s how you can do it.
Remove a CA Cert from Android System
The bouncycastle library will be required, you can grab it here:
BouncyCastle Library
You’ll need the Android-SDK as well in order to utilize ADB. It can be found here if you don’t already have it:
Android SDK
- Move the jar into the $JAVA_HOME%\lib\ext folder. It’s most likely in a place like this:
C:\Program Files (x86)\Java\jre6\lib\ext\ - Connect your USB cable to your phone and verify with adb that it is seen as attached. [%android-sdk% is the location of the Android SDK installed on your system]
%android-sdk%\tools> adb devices - You’ll need to grab the cacerts.bks file from your phone using adb:
%android-sdk%\tools>adb pull /system/etc/security/cacerts.bks cacerts.bks - Now let’s extract the cacerts.bks to a human readable format (there are other ways of reading bks files, but this is an easy route)
- Open the newly created calist.txt file and search for the desired CA Cert ( DigiNotar CA in our case). You’ll want to identify the alias name number. You’ll use this to identify the certificate so that you can remove it with keytool.exe:
- Once you’ve removed the certificate you can push the cacerts.bks back to your phone for usage:
- The final step will require you to reboot your phone so that Android can reload the cacerts.bks.
- Enjoy!
%android-sdk%\tools>"%JAVA_HOME%\keytool.exe" -keystore
cacerts.bks -storetype BKS -provider org.bouncycastle.jce
.provider.BouncyCastleProvider -storepass changeit -v
-list > calist.txt
*******************************************
Alias name: 61
Creation date: Feb 8, 2011
Entry type: trustedCertEntry
Owner: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Issuer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Serial number: c76da9c910c4e2c9efe15d058933c4c
Valid from: Wed May 16 17:19:36 UTC 2007
until: Mon Mar 31 18:19:21 UTC 2025
Certificate fingerprints:
MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
Signature algorithm name: SHA1WithRSAEncryption
Version: 3 *******************************************
%android-sdk%\tools>"%JAVA_HOME%\bin\keytool.exe" -keystore
cacerts.bks -storetype BKS -provider org.bouncycastle.jce.
provider.BouncyCastleProvider -storepass changeit -v -delete
-alias <alias name number>
For example:
%android-sdk%\tools>"%JAVA_HOME%\bin\keytool.exe" -keystore
cacerts.bks -storetype BKS -provider org.bouncycastle.jce
.provider.BouncyCastleProvider -storepass changeit -v
-delete -alias 61
You’ll probably want to repeat this process for the Comodo certificates as well if you’re really security minded (of course you are).
%android-sdk%\tools>adb remount
%android-sdk%\tools>adb push cacert.bks /system/etc/security/
If you have root access and don’t feel like going through ADB and all the SDK installation, the GuardianProject has created an Android app (CACertMan) that is targeted at doing the above for you and letting you manage your certs yourself. You can check it out here. It is still in beta and isn’t 100% compatible yet, hence the manual instructions above.