list certificate stored in user credentials

android ssl pkcs#12 android-7.0-nougat android-7.1-nougat
Mellon picture Mellon · Nov 1, 2016 · Viewed 10.7k times · Source

In Android 7 Nougat, user installed certificate goes to "User credentials" instead of "Trusted credentials"(which consists of system credential & user credential).

I used to access "Trusted credentials" by:

KeyStore keystore = KeyStore.getInstance("AndroidCAStore");

through the above code I can then access system & user trusted credentials.

But now, in Android 7, user installed certificate goes to a separate place called "User credentials" under Settings --> Security --> User credentials.

My question is how can I programmatically list the credentials inside User credentials in Android 7?

Answer

Pravin Divraniya picture Pravin Divraniya · Nov 22, 2016

To provide a more consistent and more secure experience across the Android ecosystem, beginning with Android Nougat, compatible devices trust only the standardized system CAs maintained in AOSP.

Previously, the set of pre-installed CAs bundled with the system could vary from device to device. This could lead to compatibility issues when some devices did not include CAs that apps needed for connections as well as potential security issues if CAs that did not meet our security requirements were included on some devices.

First, be sure that your CA needs to be included in the system. The preinstalled CAs are only for CAs that meet our security requirements because they affect the secure connections of most apps on the device. If you need to add a CA for connecting to hosts that use that CA, you should instead customize your apps and services that connect to those hosts. For more information on Customizing trusted CAs.

In above link you can find all the necessary information for trusting custom CAs with different needs like

  1. Trusting custom CAs for debugging
  2. Trusting custom CAs for a domain
  3. Trusting user-added CAs for some domains
  4. Trusting user-added CAs for all domains except some
  5. Trusting user-added CAs for all secure connections

So, Basically you need to add a Security Configuration File and Configure a custom CA(For Android 7.0 (API level 24) and higher).

In Your manifest.xml

<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

In res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <trust-anchors>
            <certificates src="@raw/my_ca"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

Just for Information :- If you operate a CA that you believe should be included in Android, first complete the Mozilla CA Inclusion Process and then file a feature request against Android to have the CA added to the standardized set of system CAs.

Let me know for any further help.

Hope this will help you. Keep Coding!!!

Related questions

How do you use a .p12 certificate on Android?

How do you use a .p12 certificate on Android? I tried adding it at Menu/Settings/Location and security. When I do this the certificate disappears from the SD card but when I go to the website that needs the .…

Read More
Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

I am working on an Android app that requires Client Certificate Authentication (with PKCS 12 files). Following the deprecation of all that's apache.http.*, we have started a pretty big work of refactoring on our network layer, and we have decided …

Read More
How to install trusted CA certificate on Android device?

I have created my own CA certificate and now I want to install it on my Android Froyo device (HTC Desire Z), so that the device trusts my certificate. Android stores CA certificates in its Java keystore in /system/etc/…

Read More