How to Install Trusted Ca Certificate on Android Device

How to install trusted CA certificate on Android device?

Prior to Android KitKat you have to root your device to install new certificates.

From Android KitKat (4.0) up to Marshmallow (6.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.

Extract from http://wiki.cacert.org/FAQ/ImportRootCert

Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...

Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.

System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.

Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.

From Android N (7.0) onwards it gets a littler harder, see this extract from the Charles proxy website:

As of Android N, you need to add configuration to your app in order to
have it trust the SSL certificates generated by Charles SSL Proxying.
This means that you can only use SSL Proxying with apps that you
control.

In order to configure your app to trust Charles, you need to add a
Network Security Configuration File to your app. This file can
override the system default, enabling your app to trust user installed
CA certificates (e.g. the Charles Root Certificate). You can specify
that this only applies in debug builds of your application, so that
production builds use the default trust profile.

Add a file res/xml/network_security_config.xml to your app:

<network-security-config>    
    <debug-overrides> 
        <trust-anchors> 
            <!-- Trust user added CAs while debuggable only -->
            <certificates src="user" /> 
        </trust-anchors>    
    </debug-overrides>  
</network-security-config>

Then add a reference to this file in your app's manifest, as follows:

<?xml version="1.0" encoding="utf-8"?> 
<manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
    </application> 
</manifest>

Install CA Certificate on android emulator

On recent Android versions, it's no longer possible to install system certificates, and installing user certificates is much harder. It's not possible to just open the file normally to install it, and apps can't show you any prompts to trigger installation either.

For more details on the change and how this works, see https://httptoolkit.tech/blog/android-11-trust-ca-certificates/

The actual steps you need are:

  • Open settings
  • Go to 'Security'
  • Go to 'Encryption & Credentials'
  • Go to 'Install from storage'
  • Select 'CA Certificate' from the list of types available
  • Accept a large scary warning
  • Browse to the certificate file on the device and open it
  • Confirm the certificate install

Can't install CA certificate on Android 11

There's a tiny note about this in the Android 11 enterprise changelog here, which says:

Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.

Sounds very much like this is intentional, and you won't be able to get around it on normal unmanaged devices. You'll either need to look into full Android device management, or provide instructions to your users on doing manual setup instead.

Note that registering your app as a normal device admin app is not sufficient either. To use the remaining DevicePolicyManager.installCaCert API your app must be the owner of the device or profile.

That means from Android 11+, you can do automatic setup for CA certs used only within separate & isolated work profiles on the device, or for fresh devices that you provision with your app pre-installed, and nothing else.

If you'd like this behaviour changed, there's an issue you can star & comment on in the Android tracker here: https://issuetracker.google.com/issues/168169729

How do I trust a certificate on android device?

This is due to limitations in recent versions of Android. On unrooted devices, it is impossible to install system certificates.

You can still intercept HTTPS traffic using just user certificates, but you will only be able to intercept apps that opt into this by explicitly trusting user certificates. Most apps don't do this, so this is useful for debugging your own apps, but not for reverse engineering other people's.

You have a few options:

  • You can root your device.
  • You can use an emulator - any emulator except the official 'Google Play' edition emulators will give you root access.
  • You can use user certificates only, and modify the app to trust your user certificates either by editing the network security config if it's your own app (instructions here: https://httptoolkit.tech/docs/guides/android/#intercepting-traffic-from-your-own-android-app) or using tools like apk-mitm if not to modify the APK (this can work easily, but not always, so in many cases you'll need to do some manual app modification).

There's a lot more info in the HTTP Toolkit docs here: https://httptoolkit.tech/docs/guides/android/

Android recognizes my self made CA certificate as a user certificate, and does not install it properly

I fixed the issue. I used Creating a CA and it worked fine.

To install it on Android though, you need to remove the human readable text fro the output cacert.pem and leave only the certificate data, i.e. the one starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, otherwise Android says "No certificate to install".

I think that the previous guide created a regular certificate and then used it as a CA certificate to sign the server certificate, but I'm only guessing, feel free to correct me.

Installing CA certificate on android in system context

Tim Biegeleisen's comment made me invest some time looking in the direction of accessing the API in plain text. Neither Android nor iOS do allow this by default. Fortunate enough it is possible to allow it for specific domains which I think is an acceptable solution:

Android

Found here https://devblogs.microsoft.com/xamarin/cleartext-http-android-network-security/

  1. Add the following file and folder under resources in the Android project:
    xml\network_security_config.xml
  2. Add lines like this to the file:
    <?xml version="1.0" encoding="utf-8"?>
    <network-security-config>
      <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">10.0.2.2</domain> <!-- Debug port -->
        <domain includeSubdomains="true">xamarin.com</domain>
      </domain-config>
    </network-security-config>

  1. In Properties\AssemblyInfo.xml Add android:networkSecurityConfig to the application header:
    <manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
        ...
    </application>
    </manifest>

iOS

Found here: https://stackoverflow.com/a/33306373/3883521

In info.plist Add Something like this:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>domain.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

change domain.com to your domain...

Can't install CA certificate on Android 11 on Work Profile

It's been a while and I made progress and observed multiple MDM platforms.

Most MDM clients does use this API to install certificates programmatically but it's being activated from the MDM management platform, rather then the MDM DPC app itself.

So if my goal is to install certificate that is generated on device it cannot be done using the MDM DPC app (all least not using the MDM platforms I encountered).

However, I can still install certificate using the MDM management platform, usually for root CA certificates which are deployed on multiple devices, rather then per-device certificates.


Related Topics

How to Use Scrollview in Android

Is Asynctask Really Conceptually Flawed or Am I Just Missing Something

How to Add Calendar Events in Android

View Contents of Database File in Android Studio

Need to Handle Uncaught Exception and Send Log File

Caching Images and Displaying

Why Are Nested Weights Bad For Performance? Alternatives

Android: How to Validate Edittext Input

Set Title Background Color

Volley - Post/Get Parameters

Adding Local .Aar Files to Gradle Build Using "Flatdirs" Is Not Working

Classnotfoundexception After Adt Update

Where Are Shared Preferences Stored

Recyclerview Expand/Collapse Items

How Are Android Touch Events Delivered

How to Programmatically Create and Read Wep/Eap Wifi Configurations in Android

What's the Enhancement of Appcompatactivity Over Actionbaractivity

Eclipse Giving Error, Missing R.Java File After Recent Update


Leave a reply



Submit