The cert store system on Android seems sub-optimal. I see that there is an active bug discussing some aspects of this: http://code.google.com/p/android/issues/detail?id=11231
There seems to be some confusion around how many cert stores there are, which applications/services use which, and how one goes about changing them. There are several bugs that relate to these issues in one way or another, but I thought it might be useful to have a higher- level discussion about how Android should approach certs. It seems that it would be ideal to have a single OS-wide cert store that is easily customizable by users -- similar to what you get with NSS or OS X (I won't use Windows as an example given its misleading cert-auto- update service). As it stands, I don't believe that there is even a way to browse what is in the Keystore-service cert store, let alone disable certs. The only thing that seems possible is to add additional certs, but based on the discussion in bug 11231 it doesn't seem like that store is used by the browser or email. Is that right? On a possibly relevant note, it seems like the Kestore-service certs live in /system/etc/security/. On my G2, this memory is write- protected. Does this have an effect on the ability to install custom certs? Cheers, Steve -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
