Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android: where should I look for certificate revocation list?

Tags:

android

certificate-revocation

I would like to get the list of all revoked certificates list downloaded on an Android device? I know that this class allows you to check if a certificate is revoked or not, but I want to get the whole list of revoked certificates. Is it possible? Does Android store such a list or it uses OCSP to check the certificates?

like image 416
Alex Avatar asked Oct 26 '18 18:10

Alex

1 Answers

It would appear that Android does not store a certificate revocation list (or at least if it does then it doesn't use it). There's a reddit thread from a few years ago that brings this up and discusses the pros/cons of it, but the essence of it is that if you go to https://revoked.grc.com/ (which should throw an error if your browser checks for revoked certificates) on mobile Chrome, you'll be notified that your browser doesn't check for revoked certificates.

From the page above (revoked.grc.com, which you shouldn't be able to see unless you're using a browser without a CRL):

The mobile Android platform currently offers no certificate revocation checking of its own, so Android apps (including all users of Google's Chrome browser) are vulnerable to malicious certificate abuse. The only way to use Android securely today is with Firefox, which brings along its own certificate security.

A couple more sources I found (again a few years old, but they still seem to be relevant and accurately describe the current situation):

  • An issue on the OkHttp (an Android http client) github discussing whether to add certificate revocation checks, where they decide not to

  • The CommonsBlog, discussing the lack of certificate revocation checks on Android

  • A Chromium issue about the lack of a CRL, where one of the developers states that it won't be added and presents the justification:

    Marking this WontFix for two reasons:

    1) Revocation checking is the responsibility of Android and the related SSL APIs. Android itself does not and has never performed revocation checking [...]

    2) Revocation checking generally doesn't work (as a security feature), and especially for mobile, greatly affects performance (negatively) and privacy (negatively)

like image 168
Matthew Schlachter Avatar answered Sep 28 '22 06:09

Matthew Schlachter
Sign in to Comment

Related questions

ClassNotFoundException when "implementation" is used for library dependency of a library
How Can I Link Firebase Phone Authentication with Email/Password Authentication?
Failed to resolve: com.android.support:support-v4:26.0.2
Espresso test on Android P Preview: Detected problems with API compatibility error
Android SafetyNet API fails when using API key restriction
AGPBI: {"kind":"error","text":"Program type already present: com.google.common.annotations.GwtCompatible","sources":[{}],"tool":"D8"}
In Android Elevation/Shadow is not showing when generating Bitmap of a View
NoClassDefFoundError while running unit tests with Roboelectric 3.8
How to check a certain data already exists in firestore or not
showing a progress bar with android paging library
Google Cloud Functions - Client Call Error (Android Studio) :FirebaseFunctionsException: Response is not valid JSON object
MediaRecorder and VideoSource.SURFACE, stop failed: -1007 (a serious Android bug)
startForeground() always shows a popup on Samsung 8.0 device
Tracing an SVG path
Why can I re-assign a new value to a final variable in Android AIDE?
Can we extract public/private keys from the Android Keystore?
getExternalFilesDir permissions
How to dispose Rx in WorkManager?
In Dynamic Feature Module can not access Resource file
Migration to AndroidX

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!