Skip to content
Snippets Groups Projects
Commit 7fb06aa6 authored by phoeagon's avatar phoeagon
Browse files

updated README

parent c3792f3e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 71 additions and 0 deletions
Android/README
+ 71
0
View file @ 7fb06aa6
......@@ -4,3 +4,74 @@ Android Certificates Blacklisting
This tool generates flashable zip to use with custom recovery on an
Android 4.1+ device.
## Introduction
This utility blacklists CA and EE certificates.
## Usage
First, use `git` to clone the whole repo. `cd` to this dir. Use `generate.sh`
to generate the configuration files you need.
git clone [REPO_ADDRESS]
cd RevokeChinaCerts/Android
./generate.sh extended
By substituting `extended` with `base` or `all` you can get corresponding configuration files.
### If you have root
If you have a rooted Android device and appropriate ADB drivers installed,
use `rooted.sh` to transfer the configuration files to your device.
./rooted.sh
Then, reboot the device so that the new configuration applies.
If the above method fails, please use the recovery-based approach described below.
### Recovery-based approach
After you run `generate.sh` you get a `flashable.zip` in the current folder,
which can be flashed on to Android via a custom recovery.
## Notes
The utility changes configurations under `/data` partition of your Android device,
which is wiped every time you do a factory reset or flash a factory image.
This utility doesn't remove any certificates under `/system` and should not
cause any trouble when doing OTAs. Still, this configuration overrides the certs
installed on your system. (That's to say, if you remove trust of *Wosign* using
this tool, manually installing the CA cert from *Wosign* *DOES NOT* cause
the system to see certs issued by Wosign as valid.)
On Android, each application can define its own policy of certificate validation.
An application may define custom methods to accept only some specific certificates (aka
pinning, which is also available system-wide), or accept whatever certificate regardless
of its issuer (e.g., Twidere). Having certs removed with this tool does NOT guarantee that
a particular app rejects certificates associated with those.
Blacklisting in Android works as follows. The CA certs are blacklisted by the
SHA1 checksum of their public keys and EE certs the serial number. Since serial
numbers are only required to be unique for respective certificate authorities,
blacklisting serial numbers may accidentally blacklist other *innocent* ones, especially
when the serial number is small.
The certificate blacklisting in Android is probably updated via the Play services,
and installing this tool may interfere with future blacklistings from Google, which is probably
done when setting up the first Google Account on a device and maybe sometime later. Although,
Google didn't push much certificate revocation info through this channel. Up to now (Feb of 2015)
the blacklists consists of only two respectively:
CA Public Key: 5f3ab33d55007054bc5e3e5553cd8d8465d77c61,
783333c9687df63377efceddd82efa9101913e8e
Serial Number: 827,864 [These are hex values]
Installing this tool may prevent you from getting an updated blacklist,
should a next Diginotar occurs.
For more detailed description on certificate blacklisting on Android, see
[here](http://nelenkov.blogspot.hk/2012/07/certificate-blacklisting-in-jelly-bean.html). And
[here](http://nelenkov.blogspot.hk/2012/12/certificate-pinning-in-android-42.html) for
certificate pinning.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment