Skip to content

Instantly share code, notes, and snippets.

@jduck
Last active August 29, 2015 14:07
Show Gist options
  • Save jduck/4336d6f43d7fdb987ef2 to your computer and use it in GitHub Desktop.
Save jduck/4336d6f43d7fdb987ef2 to your computer and use it in GitHub Desktop.
Disable all Trusted CA CERTs on Android 4.x and later (requires root)
#!/system/bin/sh
#
# disables all trusted root certs on your Android 4.x
# by jduck of #droidsec
#
# requires a working openssl binary in /data/local/tmp
# (you can build one from AOSP "make openssl")
#
# run this as system!! for example:
# shell@flo:/data/local/tmp $ su system -c ./trustnocerts.sh
# shell@flo:/data/local/tmp $
#
# if you want to re-enable a key, either do it manually or rm the file created in
# /data/misc/keychain/cacerts-removed
#
# for example, to re-enable some geotrust and verisign certs:
# system@flo:/data/local/tmp $ ./busybox grep -Ei 'O=(geotrust|verisign)' /etc/security/cacerts/* | ./busybox awk -F: '{print $1}' | ./busybox sort -u | ./busybox awk -F/ '{print "rm /data/misc/keychain/cacerts-removed/"$5}' | sh
# system@flo:/data/local/tmp $
#
# enjoy!
#
umask 022
if ! mkdir -p /data/misc/keychain/cacerts-removed; then
echo "failed to create /data/misc/keychain/cacerts-removed! are you system??"
exit 1
fi
cd /etc/security/cacerts
for ii in *; do
/data/local/tmp/openssl x509 -in $ii -outform der -out /data/misc/keychain/cacerts-removed/$ii
done
@rhcp011235
Copy link

Cool. Nice little code bit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment