[Q] Unsafe certificate protection in Android? - Android Q&A, Help & Troubleshooting

Hi
I've followed the instructions from Nexus offical guide and installed my personal certificate stored in a pfx file (PKCS#12) in my Google Nexus (ICS 4.0.4). At this point I faced a little problem: the new certificate is not listed in "User" tab in "Credentials". It works anyway because I can use it in web pages.
But the big problem IMHO, is the way Android protects your certificates. It only requests the user to set a pattern, PIN, or password to unlock the screen. I'm missing a password-protected access to my credentials like IE does in Windows, for instance every time your certificate is requested by a web site.
Is there a method to enhance security of your certificates in ICS and set a password for accessing certificates storage?
Thank you

Related

Install a web certificate (*.cer) on an Android device

Hi,
To gain access to WIFI at university I have to login with my user/pass credentials.
The certificate of their website (the local home page that asks for the credentials) is not recognized as a trusted certificate, so we install it separately on our computers.
I want to know how to install such certificates on Android, I have HTC magic and I came through this question which seems the same problem but the solution is specific to exchange server and not the browser http://forum.xda-developers.com/showthread.php?t=551512
This is the details of installing the certificate from the university's page [LINK]
if you are rooted, download wifi helper (its free) from market and it should help you configure your wifi with custom cert files.
Hey,
I stumbled onto this topic as I had the problem (but on the Droid, Android v2.0). I then figured out how to do it and made a tool to make it easier. I call it RealmB's Android Certificate Installer. It basically gives your Android's web browser the correct HTTP headers to make it launch the CA certificate installation wizard.
Hope this helps,
Brian
I used Android's built-in certificate manager.
1. Just drop your certificate file onto the sdcard/download folder.
Note: Keep in mind the manager looks for .p12 and/or .crt files. I had a .cer file, but it was PEM formatted so I simply changed the extension.
2. Go to settings-> Security & Privacy -> Install from SD Card
Note: I use the MIUI rom, so millage may vary a bit on other roms
Done! Enter your credentials password, or create a new one if you didn't have one already, and you're all set!
Thanks MrNago
renaming .cer to .crt really makes me being able to install it. Life can be so easy ... (MIUI 2.3)
I was looking for a way to do this exact thing, and found a (potentially) easier way to install the certificate. If you have access to a web site, you can just put the .crt file on it, go to the site, click the file and voila... It installs on the device.
Worked like a charm since I do not have an SD card with me, but I needed to install the certificate.
Thanks for the comments above. I had a .cer file, and renaming it worked like a champ as well.
Bryan
gces said:
I was looking for a way to do this exact thing, and found a (potentially) easier way to install the certificate. If you have access to a web site, you can just put the .crt file on it, go to the site, click the file and voila... It installs on the device. ...
Click to expand...
Click to collapse
Thanks, this works.
To install a browser certificate into a pre-ICS ROM, use Portecle to add it to /system/etc/security/cacerts.bks.
Notes:
- obviously, ROOT is required to do this
- the keystore p/w is changeit
- In ICS a certificate can be simply added via Settings
The problem is only old stock browser sees installed certificate. This browser doesn't exist on Jelly Bean for Nexus 7. Google Chrome is default browser here.
Anyone knows a solution to this?
Thanks
Denis
!crazy said:
The problem is only old stock browser sees installed certificate. This browser doesn't exist on Jelly Bean for Nexus 7. Google Chrome is default browser here.
Anyone knows a solution to this?
Thanks
Denis
Click to expand...
Click to collapse
The solution could be to wait until the bug in Chrome is fixed.
web security
Web certificate and web site security have much need for everyone. IF any one have want web project and security you should hire developers.

[Q] PPP/EVDO authorization and Android

I am a n00b with Android and have the following question. Are EVDO authorization credentials such as MIP/PPP username and password are set within OS, i.e. built-in into PPP daemon? If so, then rooting is required to modify those settings (for example, to use the firmware with another Carrier).
Or are they stored separately, outside of- and external to Android OS? If, so rooting neither required, nor helpful for modifying EVDO authorization credentials

Installing certificates.

My friends who I play an online game use a mumble server for voice chat so I downloaded the mumble client for android beta. I try to install the certificate I backed up from my laptop but I am asked for a password when I know the certificate is not password protected.
If I try to install the certificate with no password the settings screen just dims until I hit the back key send the certificate will not install, anyone have any suggestions on how to get the certificate installed?
I am using settings > security > install certificate from device storage to install it.
Sent from my GT-I9300 using xda app-developers app
when I know the certificate is not password protected.
Click to expand...
Click to collapse
Are you asked a certificate password or asked to set a device password?
Have you checked if the certificate doesn't say encrypted in the raw text?
d4fseeker said:
Are you asked a certificate password or asked to set a device password?
Have you checked if the certificate doesn't say encrypted in the raw text?
Click to expand...
Click to collapse
The password it asks for is to extract the certificate files, and I know it is not encrypted because the pc mumble client doesn't encrypt exported certificates and I import the same certificate every time I reinstall windows and don't get asked for a password.
Sent from my GT-I9300 using xda app-developers app
Afaik the certificate is an RSA private key.
So the second line, when opened in the text editor of your choice, should not contain any Text with the literal string "encrypted".
Since Windows and Linux have different methods of Line endings, you might have to convert it to UNIX style.
E.g. the Windows Application Notepad++ is capable of doing it.
Blank passwords are the standard for non-decryption, so it should work...
Are you sure you need to install the certificate in Android and not in the app?
What ROM are you on?
d4fseeker said:
Afaik the certificate is an RSA private key.
So the second line, when opened in the text editor of your choice, should not contain any Text with the literal string "encrypted".
Since Windows and Linux have different methods of Line endings, you might have to convert it to UNIX style.
E.g. the Windows Application Notepad++ is capable of doing it.
Blank passwords are the standard for non-decryption, so it should work...
Are you sure you need to install the certificate in Android and not in the app?
What ROM are you on?
Click to expand...
Click to collapse
I don't see any encryption if I open it in notepad, and there is nowhere in the mumble for android beta app to install a certificate.
I am on stock LFB.
According to a quick Google, it seems that (at least for the ones I found, there are several - each based upon each other) Certificate Login is not yet supported. Maybe there are versions where it works, you'll have to search.
Any luck on getting this to work?
It seems like mumble uses certificate as a form of "password" for user logging in to mumble server with registered nick.
I've export a cert to my phone but was unable to install it as well, it says "no certificate to install" when i attempt to install the cert from mumble pc.
tishfire said:
Any luck on getting this to work?
It seems like mumble uses certificate as a form of "password" for user logging in to mumble server with registered nick.
I've export a cert to my phone but was unable to install it as well, it says "no certificate to install" when i attempt to install the cert from mumble pc.
Click to expand...
Click to collapse
Not yet, I'm running out of ideas, all I can think of is creating a new certificate rather than using one automatically generated by mumble, I haven't done this yet because I don't want to bother my mumble server guys with taking me off the server then putting me back on.

[Q] KitKat Keystore/Keychain?

I've installed the OpenVPN client on my Moto G, and imported the pkcs#12 file into the Keychain, as recommended in the doc.. Where did the file actually go - I expected it to appear in Settings -> Security -> Trusted Credentials, but it isn't there?
In Trusted Credentials under the User tab there's an entry 'Myhome changeme'. It appears to require me to do something - to change it in some way. Do I actually need to do something?
Is there an 'Idiot's Guide' to Trusted Credentials and the Keystore/Keychain for Android, that someone can point me to, please?
Jim

Enable system certificate on Android

Dear all,
I'm searching for some help regarding system certificates on Android.
First of all, a little bit of context : I'm in charge of the migration of mobile devices from one Airwatch server to another. All devices are managed by MDM (Airwatch MDM Agent) that allows deployment of configuration profiles and apps. One of those profiles is called "CertAuth" and pushes some certificates that are needed to access internal ressources.
A few months ago, we have discoverd that one of the system certificates (Thawte Primary Root G3) was missing on some devices, mainly old versions of Android.
So we decided to push this certificate through the "CertAuth" profile.
Now the problem whith that method is that once the devices are unenrolled from the first server, profile "CertAuth", all corporate content and apps are removed (normal behavior). As Thawte Primary Root G3 certificate is part of the system certificates, it cannot be removed. So it is simply disabled.
This certificate is needed to access the target server, so once devices try to enroll, they receive some error message "cannot connect to host". Connection is simply refused due to the disabled Thawte G3.
Of course it can be manually enabled, but as you all may know, basic users are not always able to find the correct option in the device settings...
So (finally) my question is : is there any way to remotely enable this system certificate (little swich OFF/ON) in order to void manual action on more than 5000 devices?
By using a script or something that would be deployed on devices as third-party content/not removable content?

Categories

Resources