java – How to remove App installed trusted CA cert on uninstalling the App-ThrowExceptions

Exception or error:

I have an app that gives option to install CA cert and it gets stored in the user tab of Trusted Credentials and it works as expected.

FYI (This is how I install the cert):

Intent installIntent = KeyChain.createInstallIntent();
javax.security.cert.X509Certificate x509 = javax.security.cert.X509Certificate.getInstance(caRootCertBytes);
installIntent.putExtra(KeyChain.EXTRA_CERTIFICATE, x509.getEncoded());
installIntent.putExtra(KeyChain.EXTRA_NAME,caRootCertName);
startActivity(installIntent);

If the app is uninstalled the cert remains in the Trusted credentials.

I would like the cert to be uninstalled when the application is uninstalled.

I thought of removing the cert using deleteEntry method of KeyStore.

FYI (I haven’t tested though.Hopefully it should work..I will update once I tested it)

javax.security.cert.X509Certificate x509 = javax.security.cert.X509Certificate.getInstance(caRootCertBytes);

KeyStore ks = KeyStore.getInstance("AndroidCAStore")
if (ks != null) 
                        {
                            ks.load(null, null);
                            Enumeration<String> aliases = ks.aliases();
                            while (aliases.hasMoreElements()) 
                            {
                                String alias = (String) aliases.nextElement();
                                java.security.cert.X509Certificate cert = (java.security.cert.X509Certificate) ks.getCertificate(alias);
                                String name = x509.getIssuerDN().getName();                             
                                if (cert.getIssuerDN().getName().contains(name)) 
                                {
                                  ks. deleteEntry(alias)

                                }
                            }
                        }  

Even though if you consider above code works AFAIK I can’t register broadcast receiver for uninstallation of my own app.

How can I go about removing the cert that is installed by my app on uninstallation of my app ?

Any help is appreciated !

How to solve:

you cant get the broadcast of package getting uninstalled for your own package.
this may lead to inconsistency in the system.
see this answer

###

Lookout Mobile has blogged about this due to the DigiNotar events, and provided some pretty good (read: lengthy) instructions which you can find here.

The gist of it is that you need to pull /system/etc/security/cacerts.bks and then remove the CAs from the store, then push the store back to the device and reboot. Their instructions require that you have Bouncy Castle (for decrypting the store), root access, and a working adb connection. I’m not sure if this applies to all versions of Android or not, but my guess would be that the location of the CA store hasn’t changed in quite some time (if ever).

###

As far as i know there is only a broadcast that tells that uninstall has completed ACTION_PACKAGE_REMOVED.

After uninstalling the app MyCertApp the event ACTION_PACKAGE_REMOVED is broadcasted. The code that handles ACTION_PACKAGE_REMOVED in MyCertApp is alredy gone at that time.

You can do the post-processing only with a second independant app that is still there and that can unistall itself after receiving that MyCertApp is gone.

The other hypotetical solution may be that your app has a menu-item “uninstall MyCertApp”. I donot know if it is possible for an app to uninstall itselt

Leave a Reply

Your email address will not be published. Required fields are marked *