Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Disable all Trusted CA CERTs on Android 4.x and later (requires root)
# disables all trusted root certs on your Android 4.x
# by jduck of #droidsec
# requires a working openssl binary in /data/local/tmp
# (you can build one from AOSP "make openssl")
# run this as system!! for example:
# shell@flo:/data/local/tmp $ su system -c ./
# shell@flo:/data/local/tmp $
# if you want to re-enable a key, either do it manually or rm the file created in
# /data/misc/keychain/cacerts-removed
# for example, to re-enable some geotrust and verisign certs:
# system@flo:/data/local/tmp $ ./busybox grep -Ei 'O=(geotrust|verisign)' /etc/security/cacerts/* | ./busybox awk -F: '{print $1}' | ./busybox sort -u | ./busybox awk -F/ '{print "rm /data/misc/keychain/cacerts-removed/"$5}' | sh
# system@flo:/data/local/tmp $
# enjoy!
umask 022
if ! mkdir -p /data/misc/keychain/cacerts-removed; then
echo "failed to create /data/misc/keychain/cacerts-removed! are you system??"
exit 1
cd /etc/security/cacerts
for ii in *; do
/data/local/tmp/openssl x509 -in $ii -outform der -out /data/misc/keychain/cacerts-removed/$ii

This comment has been minimized.

Copy link

commented Oct 20, 2014

Cool. Nice little code bit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.