14

From the current fallout around DigiNotar (in short, a Root Certificate Authority that has been hacked, fake HTTPS certificates issued, MITM attacks very likely), there are some parts concerning Android (see yesterday's interim report in PDF):

  • fraudulent certificates for *.android.com has been generated (which would include market.android.com)
  • there may be other such fraudulent certificates signed by this CA in the wild (currently nobody knows for sure, one way or the other)
  • this could happen to another CA in the future (Comodo had a similar problem a few months ago)

So, how do I remove a CA I no longer trust from my Android phone? (I have root and CM6 on my specific phone, if that's relevant)

Piskvor left the building
  • 445
  • 1
  • 5
  • 15
  • 1
    CM team are working on a fix according to https://code.google.com/p/cyanogenmod/issues/detail?id=4260 – Sparx Sep 07 '11 at 17:16

5 Answers5

19

In Android Lollipop 5.0
Settings → Security → Trusted credentials → User tab → Select your certificate → Scroll down, Click on Remove button → Done.

Manu
  • 3,094
  • 7
  • 22
  • 40
Joan Solà
  • 291
  • 2
  • 3
  • Good to know if you're on a recent Android version, thanks. (I understand this is a feature introduced in 5.0, correct?) – Piskvor left the building Dec 02 '15 at 10:23
  • It's a shame how this is implemented. Distrusting all CAs I don't deem trustworthy (why should I trust some random Chinese/Turkish/SouthAmerican company?) takes about 1 1/2 hours of clicking and scrolling. Tedious to say the least. On the other hand installing my own trusted credentials is nearly impossible. – atripes Jul 27 '17 at 10:47
  • On Android 8.0, this moved to Settings → Security & Location → Encryption & credentials → Trusted credentials – Michael Marvick Jun 23 '18 at 14:00
5

Lookout Mobile has blogged about this due to the DigiNotar events, and provided some pretty good (read: lengthy) instructions which you can find here.

The gist of it is that you need to pull /system/etc/security/cacerts.bks and then remove the CAs from the store, then push the store back to the device and reboot. Their instructions require that you have Bouncy Castle (for decrypting the store), root access, and a working adb connection. I'm not sure if this applies to all versions of Android or not, but my guess would be that the location of the CA store hasn't changed in quite some time (if ever).

Theraot
  • 103
  • 4
eldarerathis
  • 36,787
  • 16
  • 144
  • 175
  • 2
    In your list of requirements of important entry for some devices is missing: You need an unprotected system partition (also known as "S-OFF"). If an S-ON system the command "adb remount" will not work. – Robert Sep 22 '11 at 13:38
2

lock screen and security. other security settings. view security certificates. users.

Then remove it.

S7 Edge 2016-07-14

user176546
  • 21
  • 1
1

You have to remove them one at a time. Typically there is a large number so researching each one is impossible. Just disabling them one of the time takes a very long time.

mattm
  • 4,231
  • 4
  • 31
  • 49
Garrett Goldul
  • 11
  • 1
0

Click on the name of the credential, scroll down and then press turn off.

ale
  • 19,723
  • 34
  • 110
  • 159
jon lajoie
  • 21
  • 5
    I think you meant "Disable" instead of "turn off". However, please also indicate the Android version and brand since not all version have this feature. – Andrew T. Nov 10 '14 at 06:32
  • 2
    I think this would be in "System settings > Security > Trusted Credentials". At least this is on my Android 4.1.2. – Ricardo Souza Apr 21 '15 at 22:10