1

This is a follow up question related to this answer.

In short: I am importing the self signed Root CA certificate into android system via

Settings -> Security -> Trusted Credentials -> install from SD

path slightly differs on different android versions.

Then point any browser (tested with Firefox, chrome and opera) to the secure (java script based) resource and I receive a socket error. The resource is an index.html with js web-socket logic to securely connect to a mosquitto broker.

If I on the other hand point the browser to "https://myserver:<mysecure port>" I receive a privacy warning, can continue unsafe and this somehow sets a cookie or other storage thing thus I am able to do future requests over the js based secure resource.

It feels, that browsers on android do not make use of the system's user imported CA certificates although they are listed in the trusted certificates "user" tap and in the trusted credentials area.

Tested with android 7.1.2 and 10. All desktop browsers work fine, tested on ubuntu / mint & raspi.

How to accomplish browser based TLS requests on android without accepting unsafe privacy risks?

Additional test:

I've tested the same thing on a ios 13.3 IPhone 7, importing the CA certificate, putting the secure resource on a proper web space since local file access isn't possible on ios. Worked out of the box.

So it seems to be a real android issue. It might make sense to put this question to an android space. Could someone make a suggestion please?

Further research:

Here is a detailed explanation, on how to get a custom certificate into the system's certificate section. But to be honest, that's not a usual way to go. Root access is not for ordinary mortals plus it might not work for more recent android versions.

User certificates are for android applications written by your own. You can have a view lines of property settings in app.config to work with your self signed user certificates.

Chrome browser and others on the other hand are kind of system applications or applications from vendors not being made to be aware of specific user certificates. And that's the only valid reason, why it will not know of certificates in the user section. It only knows of system certificates.

So the only way remaining, seems to be making your own application or somehow recompile a whole browser application configuring it to look for user certificates.

This is quite cumbersome and unsatisfying, since the web would give you all you need on any device, except android of course, which forces a detour.

woodz
  • 131
  • 1
  • 6
  • 1
    I recall a similar issue, whereby the system managed certificate store differs from the user managed certificate store. You'd need to root the device to modify the system cert store, otherwise you can't get your root CA in. There's also the possibility that you'd need to explicitly trust the certificate like you need to on iOS. But I haven't done any of this in a while so wouldn't know the details. – Pedro Jul 01 '20 at 12:39
  • @Pedro: yes seems so and I got a valuable resource which manifests the assumption. I'll edit my question – woodz Jul 01 '20 at 20:31
  • For reference, I have an Android 10 phone with a user trusted CA certificate installed and am able to access internal sites with CA issued certificates without a problem, using all but Firefox (which uses it's own CA list, not the phone's). I'm afraid I can't think of anything that would cause this problem on specifically a phone when desktops work fine though. Browsers tested on my phone were Chrome and Edge. Presumably you installed for "VPN and Apps" and rebooted your device? – Unencoded Jul 02 '20 at 18:16
  • @Unencoded: to your questions, yes I did. Tried also for WiFi but this results in nothing listed under trusted certificates "user" tap and in the trusted credentials. So this way has zero relevance. I'll give it another try – woodz Jul 02 '20 at 18:23
  • Yes I doubted it would be so simple, you have certainly done your research! All I can think of is looking at Android apps that may help you debug why the certificate isn't trusted - perhaps https://play.google.com/store/apps/details?id=de.feuerbergsoftware.ssl_checker – Unencoded Jul 02 '20 at 18:33

0 Answers0