From 7fb06aa67550eb7fff5a627b80e5afa1a825592e Mon Sep 17 00:00:00 2001 From: phoeagon <phoeagon@gmail.com> Date: Sun, 22 Feb 2015 22:55:58 +0800 Subject: [PATCH] updated README --- Android/README | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/Android/README b/Android/README index 3d980e6..7f9b9ba 100644 --- a/Android/README +++ b/Android/README @@ -4,3 +4,74 @@ Android Certificates Blacklisting This tool generates flashable zip to use with custom recovery on an Android 4.1+ device. +## Introduction + +This utility blacklists CA and EE certificates. + +## Usage + +First, use `git` to clone the whole repo. `cd` to this dir. Use `generate.sh` +to generate the configuration files you need. + + git clone [REPO_ADDRESS] + cd RevokeChinaCerts/Android + ./generate.sh extended + +By substituting `extended` with `base` or `all` you can get corresponding configuration files. + +### If you have root + +If you have a rooted Android device and appropriate ADB drivers installed, +use `rooted.sh` to transfer the configuration files to your device. + + ./rooted.sh + +Then, reboot the device so that the new configuration applies. + +If the above method fails, please use the recovery-based approach described below. + +### Recovery-based approach + +After you run `generate.sh` you get a `flashable.zip` in the current folder, +which can be flashed on to Android via a custom recovery. + +## Notes + +The utility changes configurations under `/data` partition of your Android device, +which is wiped every time you do a factory reset or flash a factory image. + +This utility doesn't remove any certificates under `/system` and should not +cause any trouble when doing OTAs. Still, this configuration overrides the certs +installed on your system. (That's to say, if you remove trust of *Wosign* using +this tool, manually installing the CA cert from *Wosign* *DOES NOT* cause +the system to see certs issued by Wosign as valid.) + +On Android, each application can define its own policy of certificate validation. +An application may define custom methods to accept only some specific certificates (aka +pinning, which is also available system-wide), or accept whatever certificate regardless +of its issuer (e.g., Twidere). Having certs removed with this tool does NOT guarantee that +a particular app rejects certificates associated with those. + +Blacklisting in Android works as follows. The CA certs are blacklisted by the +SHA1 checksum of their public keys and EE certs the serial number. Since serial +numbers are only required to be unique for respective certificate authorities, +blacklisting serial numbers may accidentally blacklist other *innocent* ones, especially +when the serial number is small. + +The certificate blacklisting in Android is probably updated via the Play services, +and installing this tool may interfere with future blacklistings from Google, which is probably +done when setting up the first Google Account on a device and maybe sometime later. Although, +Google didn't push much certificate revocation info through this channel. Up to now (Feb of 2015) +the blacklists consists of only two respectively: + + CA Public Key: 5f3ab33d55007054bc5e3e5553cd8d8465d77c61, + 783333c9687df63377efceddd82efa9101913e8e + Serial Number: 827,864 [These are hex values] + +Installing this tool may prevent you from getting an updated blacklist, +should a next Diginotar occurs. + +For more detailed description on certificate blacklisting on Android, see +[here](http://nelenkov.blogspot.hk/2012/07/certificate-blacklisting-in-jelly-bean.html). And +[here](http://nelenkov.blogspot.hk/2012/12/certificate-pinning-in-android-42.html) for +certificate pinning. -- GitLab