Sunday, October 28, 2012

Assume Any Motorola Android is as Secure as a Bank of America Home Loan

I was trying to figure out where Android devices keep their keystore file for trusted Certificate Authorities (CAs) so I could audit mine.  One of the first answers Google brought me was advice from Motorola

They described exactly what I was thinking about:

"add and remove additional root certificates including self-signed ones. So companies, which release their own root certificates for their employees are able to install them on Motorola phones."

Great, some advice on adjusting who I trust!

Wait!!!!

"Copy the certificate (.p12) file to the memory card. (There is no need to create a unique folder)"
Umm, but a PKCS12 file has to contain the certificate AND the associated private key.  Am I expected to just ask the CA operator to had that over?   I'm sure they'll be emailing that to me at any moment.

I did a bit more poking around and Motorola may not be the only one to blame. It appears that a few Android implementations are only aware of one certificate format.

Dear Motorola, please do not engage in crypto or crypto advice unless you have a clue.  When trusting a CA or a cert explicitly, the file formats are PEM and DER.

I know this topic is boring, but really, if you can't do PKI and basic crypto and you are in any form of IT, your days of employment are numbered.

No comments:

Post a Comment