Disable all Trusted CA CERTs on Android 4.x and later (requires root)
| #!/system/bin/sh | |
| # | |
| # disables all trusted root certs on your Android 4.x | |
| # by jduck of #droidsec | |
| # | |
| # requires a working openssl binary in /data/local/tmp | |
| # (you can build one from AOSP "make openssl") | |
| # | |
| # run this as system!! for example: | |
| # shell@flo:/data/local/tmp $ su system -c ./trustnocerts.sh | |
| # shell@flo:/data/local/tmp $ | |
| # | |
| # if you want to re-enable a key, either do it manually or rm the file created in | |
| # /data/misc/keychain/cacerts-removed | |
| # | |
| # for example, to re-enable some geotrust and verisign certs: | |
| # system@flo:/data/local/tmp $ ./busybox grep -Ei 'O=(geotrust|verisign)' /etc/security/cacerts/* | ./busybox awk -F: '{print $1}' | ./busybox sort -u | ./busybox awk -F/ '{print "rm /data/misc/keychain/cacerts-removed/"$5}' | sh | |
| # system@flo:/data/local/tmp $ | |
| # | |
| # enjoy! | |
| # | |
| umask 022 | |
| if ! mkdir -p /data/misc/keychain/cacerts-removed; then | |
| echo "failed to create /data/misc/keychain/cacerts-removed! are you system??" | |
| exit 1 | |
| fi | |
| cd /etc/security/cacerts | |
| for ii in *; do | |
| /data/local/tmp/openssl x509 -in $ii -outform der -out /data/misc/keychain/cacerts-removed/$ii | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Cool. Nice little code bit