Guardian Project CA Bundle for Android
In response to growing concerns about the less-than trustworthy state of the global Certificate Authority ecosystem, we have decided to began curating our own CACert keystore for use on Android devices.
TODO: How to use the pinned certificate store?
Projects using this cacert
- NetCipher - strong TLS verification and proxy library for Android
We rely on Debian's tool to parse the Mozilla trust database and output PEM encoded certificates, which we then combine into a keystore ready for inclusion in Android.
git submodule update --init --recursive make
The resulting keystore will be in
stores/debiancacerts.bks ready to be
imported into an Android project.
Add it as a raw resource to your project, then use something like the following to load it:
mTrustStore = KeyStore.getInstance("BKS"); in = mContext.getResources().openRawResource(R.raw.cacerts); mTrustStore.load(in, new String("changeit").toCharArray());
- DigiNotar Debacle
- Your app shouldn't suffer SSL's problems
- Unifying Key Store Access in ICS
- ICS Trust Store Implementation
We would like to ack Open WhisperSystems as an inspiration for this, as they were able to push out a small patch through their WhisperCore update tool in order to modify the keystore to remove DigiNotar.