Disable all Trusted CA CERTs on Android 4.x and later (requires root)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/system/bin/sh | |
| # | |
| # disables all trusted root certs on your Android 4.x | |
| # by jduck of #droidsec | |
| # | |
| # requires a working openssl binary in /data/local/tmp | |
| # (you can build one from AOSP "make openssl") | |
| # | |
| # run this as system!! for example: | |
| # shell@flo:/data/local/tmp $ su system -c ./trustnocerts.sh | |
| # shell@flo:/data/local/tmp $ | |
| # | |
| # if you want to re-enable a key, either do it manually or rm the file created in | |
| # /data/misc/keychain/cacerts-removed | |
| # | |
| # for example, to re-enable some geotrust and verisign certs: | |
| # system@flo:/data/local/tmp $ ./busybox grep -Ei 'O=(geotrust|verisign)' /etc/security/cacerts/* | ./busybox awk -F: '{print $1}' | ./busybox sort -u | ./busybox awk -F/ '{print "rm /data/misc/keychain/cacerts-removed/"$5}' | sh | |
| # system@flo:/data/local/tmp $ | |
| # | |
| # enjoy! | |
| # | |
| umask 022 | |
| if ! mkdir -p /data/misc/keychain/cacerts-removed; then | |
| echo "failed to create /data/misc/keychain/cacerts-removed! are you system??" | |
| exit 1 | |
| fi | |
| cd /etc/security/cacerts | |
| for ii in *; do | |
| /data/local/tmp/openssl x509 -in $ii -outform der -out /data/misc/keychain/cacerts-removed/$ii | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cool. Nice little code bit