Am installing certificate(.pk12) in my galaxy s2 from settings.After installing it shows toast " installed ". After that in my code am opening "/system/etc/security/cacerts.bks" key store and from it i can see number of aliases in keystore is 44 .Regardless of how many number of certificates I install the aliases count does not change. I doubt whether the installed certificates go to this key store itself.How do I confirm it?
Which key store should I read to see the installed certificates.
You cannot do what you're trying to do, unless you root the phone. Importing certificates using the standard interface (settings) only allows you to import certificates for VPN or Wi-Fi connections. To actually modify the system store (cacerts.bks), a system update from the manufacturer must be made to implement the new cacerts.bks file.
Details here:
http://code.google.com/p/android/issues/detail?id=11231#c25
If you root the phone, you can directly modify cacerts.bks, but stock Android does not permit this operation.
Related
I want to install my apk (my own application) to an android device, but this apk should be installed only if user is allowed to install (i.e. login needed)
I know that adb can be used to install an apk but I couldn't find any information about if I can protect adb port by a password. And, I don't know whether are there other methods or not.
You can't prevent the installation of an APK on a device. However, you can make the app working only on the devices you want, by adding a login form or a check on the unique ID of the device.
Keep in mind that a third person can bypass this protection by patching the app.
Android supports cloud and local backup of APK files, application data, and so on. Is the device keystore included in the backup?
(I don't think you can extract private keys from an hardware-backed keystore even in rooted devices, not so sure about the software-based version used when there is no hardware support.)
No. The whole point behind the hardware-backed keystore is that it's resistant to even privileged attacks with root access.
For this reason, not even the OS can access raw key material from the hardware-backed keystore.
While it would be theoretically possible for the OS to do a keystore backup on lower end devices with a software-backed keystore, this is simply not done or allowed by the OS for security reasons.
You cannot back up the Keystore, so when your encrypted data will be restored you won't be able to decrypt it.
You have to find a different way to backup data, for example:
Store user data one backend
Use a user-stored token to decrypt the backup
Have a static password for all apps
Export backup manually by the user in settings
I wrote about it more here:
https://medium.com/#thecodeside/android-auto-backup-keystore-encryption-broken-heart-love-story-8277c8b10505
A July 13 2016 check with official says no:
"What gets backed up with Android Backup Service
Google Calendar settings
Wi-Fi networks & passwords
Home screen wallpapers
Gmail settings
Apps installed through Google Play (backed up on the Play Store app)
Display settings (Brightness & Sleep)
Language & Input settings
Date & Time
Third-party app settings & data (varies by app)
Note: Not all apps use Android Backup Service. Some apps may not back up and restore all data."
Of course backing up and restoring apps that use the KeyStore without the KeyStore itself being backed up and restored with the account makes little or no sense.
Though it's possible they did not update their docs my best guess is that the KeyStore is backed up but that information is not made widely available.
Possibly due to the backup not being encrypted prior to transport which is the Google back up standard. They may have made an exception for the keystore but that would indicate all other data isn't as secure when transported nor when received by their servers (they do encrypt the data once they receive it).
I'm trying to make an App for LG Optimus 4x that will require it to emulate as a NFC tag. It's a simple boarding pass/ ticketing app. For that, I'm following this tutorial:
http://nelenkov.blogspot.com/2012/08/accessing-embedded-secure-element-in.html.
I have the following confusions:
I'm not sure about the NFC controller used by the device and the availability of embedded secure element. I have rooted the device and /etc contains the nfcee_access.xml file. So, I'm assuming the device has the embedded Secure Element. Please correct me if I'm wrong.
Second, The nfcee_access.xml file already contains a long signer hex string saying "Google Wallet Release Signature". In order to enable access to my own app, do i still have to add another signer certificate for my app or the Google Wallet's signer certificate will work for my app too? Or should I just add my package name after this already existing Signer Certificate?
If I have to add a new signer certificate, how can I get it exactly?
as long as you don't have the keys to the embedded secure element, you won't be able to store any data in the secure element. So at the moment it doesn't make much sense investing time into this field (unless you want to read data from the secure element, which might be already stored there).
The better option is to wait for Andoird 4.4 (KitKat) and use Host Card Emulation (HCE, https://developer.android.com/guide/topics/connectivity/nfc/hce.html). This feature allows you to emulate your Boarding pass even without a secure element.
Other Options are disuccess here: How to emulate a nfc-tag on an android phone
best
My objective:
Create an EAP WiFi configuration - including the CA Certificate - in Android programmitcally.
Problem:
How do I install a CA Certificate programmatically (and then reference that certificate in the EAP WiFi configuration)?
I found a very useful link already that allows me to create and save EAP WiFi configurations here:
How to programmatically create and read WEP/EAP WiFi configurations in Android?
However this assumes that you have already installed the CA Certificate on the device. I would like to install the certificate within my app - either from the resources in the app, or sent from a server.
Is this even possible? (Rooting is not an option in this case.)
If so, how?
Additional info...
I also found a way to add a certificate to a KeyStore:
https://stackoverflow.com/a/4490543/1172101
However this is used specifically for creating a secure socket and connecting via HTTPS. I want to use the certificate for WiFi.
Unfortunately, I have yet to find a way to install a CA Certificate programmatically - from within the app.
However, it is possible to install a certificate via the Web browser in Android. Thus, the solution (for now) is to:
Launch an intent to open a URL in the Web browser that goes directly to the CA certificate.
This works but there are some challenges:
The user must name the certificate. This is a challenge because we are adding the WiFi configuration programmitically. Thus we have to ask the user to give the certificate the same name.
The user must enter a password. If they don't have a password set up, the user will create one and enter it twice. If they have set a security password, the user will have to remember that same password and enter it.
Assuming the user successfully completes these steps, he is left hanging in the browser.
This leads to a few questions:
From my app, is there a way to force a name for the certificate that the user installs via the browser?
From my app, is there any way to know when the certificate installation has completed and then give focus back to my app?
Just let me know if you need any clarification.
You cannot install it directly since non-system applications don't have access to the key store. On ICS, there is an API for this KeyChain.createInstallIntent() that would launch a system dialog asking the user whether they want to install the certificate. On pre-ICS you can achieve the same thing by launching the install intent using the component name directly (this may or may not work on all devices though). Going through the browser is actually a roundabout way of doing the same thing.
As for your questions:
you cannot specify/force a name. Why do you care about the actual name?
Not really through the browser. If you use the system intent, you can return to your activity and will get a callback if you use startActivityForResult().
Update: Android 4.3 has WifiEnterpriseConfig which both creates a profile and installs keys and certificates in the system credential store. You only need the CHANGE_WIFI_STATE permission.
I am currently looking to solve the same issues. The best thing that I have found is KeyChain.choosePrivateKeyAlias() allowing the user to select which certificate to use for the SSL. From there you can retrieve the Alias name and pass it to the enterprise wifi configuration.
I'm looking for the same... as for your question, #Nikolay:
you cannot specify/force a name. Why do you care about the actual name?
The EAP profile needs the name of the already-installed-CA. If you look at the example in part 4, you can specify:
final String ENTERPRISE_CA_CERT = "";
In the example, the profile does not use the CA name, but that could be the case for other EAP profiles.
How do you use a .p12 certificate on Android?
I tried adding it at Menu/Settings/Location and security.
When I do this the certificate disappears from the SD card but when I go to the website that needs the .p12-certificate I just get a connection error.
The certificate, password, and URL are all good. I triple checked them.
I am not the only one with this issue, right? My colleagues with iPad / iPhone can use it easily but on Android it's a pain in the ass. They just double click on the .p12 file, give certificate password, and they are set.
How come it's not like this on Android?
Make sure you copy the certificates to root of SD card.
Click on Settings->Location & Security/Security->(Install from SD card(scroll down -> Credential Storage).
Select the certificate.
Things have changed since the last answer in 2011. I'm doing this from an emulated Pixel 2 running Android R (version 10).
It's now possible to install the certificate from a download or from a google drive. The difference is trivial.
Installation
Settings->Security->Advanced->Encryption & credentials->Install a certificate
Here you'll select the type of certificate you want to install. In my case it's a CA certificate (Certificate Authority) which I use to test some systems.
At this point you'll get a warning screen. It's kind of important as the entire basis of your device's security relies on the integrity of your certificates. If this is messed up, your device will have to be wiped to be secure again.
But I assume you know what you're doing.
tap Install anyway.
You're taken to a screen with files in your Downloads directory. You can scroll around to see the possibilities. You can also click on the hamburger icon in the top left to reveal more options, such as listing your google drive account.
Tap on the certificate file you want to install
You may see a popup dialog will asking you for the password to extract certificates. Hopefully the entity that supplied you with the certificate also gave you a password.
Type in the password and cross your fingers.
If all is well you'll get a Toast saying that the certificate was installed.
Verification
You can view the certificates you have installed by via the following path:
Settings->Security->Advanced->Encryption & credentials->Trusted credentials and then clicking the USER tab.
Removing a certificate is as simple as tapping on it and then tapping the Remove button.
To import the certificate, all I had to do was to use the My Files app (or any app allowing to browse your filesystem), and then click on the p12 file. Once the certificate was imported, the apps requiring it for log-in prompted the option of using it.