Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android: where should I look for certificate revocation list?

I would like to get the list of all revoked certificates list downloaded on an Android device? I know that this class allows you to check if a certificate is revoked or not, but I want to get the whole list of revoked certificates. Is it possible? Does Android store such a list or it uses OCSP to check the certificates?

like image 416
Alex Avatar asked Oct 26 '18 18:10

Alex


1 Answers

It would appear that Android does not store a certificate revocation list (or at least if it does then it doesn't use it). There's a reddit thread from a few years ago that brings this up and discusses the pros/cons of it, but the essence of it is that if you go to https://revoked.grc.com/ (which should throw an error if your browser checks for revoked certificates) on mobile Chrome, you'll be notified that your browser doesn't check for revoked certificates.

From the page above (revoked.grc.com, which you shouldn't be able to see unless you're using a browser without a CRL):

The mobile Android platform currently offers no certificate revocation checking of its own, so Android apps (including all users of Google's Chrome browser) are vulnerable to malicious certificate abuse. The only way to use Android securely today is with Firefox, which brings along its own certificate security.

A couple more sources I found (again a few years old, but they still seem to be relevant and accurately describe the current situation):

  • An issue on the OkHttp (an Android http client) github discussing whether to add certificate revocation checks, where they decide not to

  • The CommonsBlog, discussing the lack of certificate revocation checks on Android

  • A Chromium issue about the lack of a CRL, where one of the developers states that it won't be added and presents the justification:

    Marking this WontFix for two reasons:

    1) Revocation checking is the responsibility of Android and the related SSL APIs. Android itself does not and has never performed revocation checking [...]

    2) Revocation checking generally doesn't work (as a security feature), and especially for mobile, greatly affects performance (negatively) and privacy (negatively)

like image 168
Matthew Schlachter Avatar answered Sep 28 '22 06:09

Matthew Schlachter