How to install trusted CA certificate on Android device?

by

Prior to Android KitKat you have to root your device to install new certificates.

From Android KitKat (4.0) up to Marshmallow (6.0) it’s possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.

Extract from http://wiki.cacert.org/FAQ/ImportRootCert

Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA (‘system’) certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, …

Starting from Android 4.0 (Android ICS/’Ice Cream Sandwich’, Android 4.3 ‘Jelly Bean’ & Android 4.4 ‘KitKat’), system trusted certificates are on the (read-only) system partition in the folder ‘/system/etc/security/’ as individual files. However, users can now easily add their own ‘user’ certificates which will be stored in ‘/data/misc/keychain/certs-added’.

System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> ‘System’-section, whereas the user trusted certificates are manged in the ‘User’-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.

Installing CAcert certificates as ‘user trusted’-certificates is very easy. Installing new certificates as ‘system trusted’-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.

From Android N (7.0) onwards it gets a littler harder, see this extract from the Charles proxy website:

As of Android N, you need to add configuration to your app in order to
have it trust the SSL certificates generated by Charles SSL Proxying.
This means that you can only use SSL Proxying with apps that you
control.

In order to configure your app to trust Charles, you need to add a
Network Security Configuration File to your app. This file can
override the system default, enabling your app to trust user installed
CA certificates (e.g. the Charles Root Certificate). You can specify
that this only applies in debug builds of your application, so that
production builds use the default trust profile.

Add a file res/xml/network_security_config.xml to your app:

<network-security-config>    
    <debug-overrides> 
        <trust-anchors> 
            <!-- Trust user added CAs while debuggable only -->
            <certificates src="user" /> 
        </trust-anchors>    
    </debug-overrides>  
</network-security-config>

Then add a reference to this file in your app’s manifest, as follows:

<?xml version="1.0" encoding="utf-8"?> 
<manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
    </application> 
</manifest>

More Related Contents:

  1. android webview with client certificate
  2. SSL certificate is not trusted – on mobile only [closed]
  3. accepting HTTPS connections with self-signed certificates
  4. Install apps silently, with granted INSTALL_PACKAGES permission
  5. Javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: Failure in SSL library, usually a protocol error
  6. Android error: Failed to install *.apk on device *: timeout
  7. How do you install an APK file in the Android emulator?
  8. How to get APK signing signature?
  9. Self-signed SSL acceptance on Android
  10. Get referrer after installing app from Android Market
  11. What is INSTALL_PARSE_FAILED_NO_CERTIFICATES error?
  12. How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)
  13. SSLHandshakeException: Handshake failed on Android N/7.0
  14. javax.net.ssl.SSLException: Read error: ssl=0x9524b800: I/O error during system call, Connection reset by peer
  15. ADB Install Fails With INSTALL_FAILED_TEST_ONLY
  16. Android SSL – SNI support
  17. Custom SSL handling stopped working on Android 2.2 FroYo
  18. Apache HttpClient on Android producing CertPathValidatorException (IssuerName != SubjectName)
  19. Application Installation Failed in Android Studio
  20. What is a Full Android Database Helper class for an existing SQLite database? [closed]
  21. CertPathValidatorException : Trust anchor for certificate path not found – Retrofit Android
  22. iOS: Pre install SSL certificate in keychain – programmatically
  23. Failure [INSTALL_FAILED_ALREADY_EXISTS] when I tried to update my application
  24. Android Studio – Unable to find valid certification path to requested target
  25. ‘No peer certificate’ error in Android 2.3 but NOT in 4
  26. cmdline-tools : could not determine SDK root
  27. How Do I Create A Certificate For My Android Market APK?
  28. Google Play security alert for insecure TrustManager
  29. Xamarin Android issue connecting via HTTPS to site with self-signed certificate: “Trust anchor for certification path not found.”
  30. Get Application Installed Date on Android

Leave a Comment