how to install CA certificate programmatically on Android without user interaction

Question

I'm trying to install certificates without prompting the user. I know this is not good practice, but that's what PM wants.

Using KeyChain.createInstallIntent(), I can get Android to launch the certificate installation dialog by calling startActivity. However, when I pass the intent to sendBroadcast, nothing happens. Maybe the platform doesn't support this for security reasons?

String CERT_FILE = Environment.getExternalStorageDirectory() + "/test/IAT.crt"; Intent intent = KeyChain.createInstallIntent(); try {     FileInputStream certIs = new FileInputStream(CERT_FILE);     byte [] cert = new byte[(int)certFile.length()];     certIs.read(cert);     X509Certificate x509 = X509Certificate.getInstance(cert);     intent.putExtra(KeyChain.EXTRA_CERTIFICATE, x509.getEncoded());      intent.putExtra(KeyChain.EXTRA_NAME, "IAT Cert");     EapActivity.this.startActivityForResult(intent, 0);  // this works but shows UI     EapActivity.this.sendBroadcast(intent);  // this doesn't install cert } catch (IOException e) { 

Answer 1

You can only install certificates silently if you have system privileges. Showing up a confirmation dialog is intentional, since trusting certificates can have serious consequences -- Android could happily open phishing sites without a warning, etc. That said, the dialog in ICS/JB is pretty bad -- it doesn't tell you what certificate you are installing and who issued it, just that it's a CA certificate, which is kind of obvious.

So, either use the public KeyChain API and use startActivity() to get the confirmation dialog, or pre-provision devices before handling them to users.

Update: In Android 4.4, DevicePolicyManager has a hidden API (installCaCert) that allows you to install certificates silently. You need the MANAGE_CA_CERTIFICATES permission, which is signature|system, so still not doable for user-installed apps.