How to remove App installed trusted CA cert on uninstalling the App

Question

I have an app that gives option to install CA cert and it gets stored in the user tab of Trusted Credentials and it works as expected.

FYI (This is how I install the cert):

Intent installIntent = KeyChain.createInstallIntent();
javax.security.cert.X509Certificate x509 = javax.security.cert.X509Certificate.getInstance(caRootCertBytes);
installIntent.putExtra(KeyChain.EXTRA_CERTIFICATE, x509.getEncoded());
installIntent.putExtra(KeyChain.EXTRA_NAME,caRootCertName);
startActivity(installIntent);

If the app is uninstalled the cert remains in the Trusted credentials.

I would like the cert to be uninstalled when the application is uninstalled.

I thought of removing the cert using deleteEntry method of KeyStore.

FYI (I haven't tested though.Hopefully it should work..I will update once I tested it)

javax.security.cert.X509Certificate x509 = javax.security.cert.X509Certificate.getInstance(caRootCertBytes);

KeyStore ks = KeyStore.getInstance("AndroidCAStore")
if (ks != null) 
                        {
                            ks.load(null, null);
                            Enumeration<String> aliases = ks.aliases();
                            while (aliases.hasMoreElements()) 
                            {
                                String alias = (String) aliases.nextElement();
                                java.security.cert.X509Certificate cert = (java.security.cert.X509Certificate) ks.getCertificate(alias);
                                String name = x509.getIssuerDN().getName();                             
                                if (cert.getIssuerDN().getName().contains(name)) 
                                {
                                  ks. deleteEntry(alias)

                                }
                            }
                        }

Even though if you consider above code works AFAIK I can't register broadcast receiver for uninstallation of my own app.

How can I go about removing the cert that is installed by my app on uninstallation of my app ?

Any help is appreciated !

There is no way to do this, precisely because the uninstall process is not handled by your code. That's how Android is designed. You can only hope that the user will not forget to do this explicitly. — Display Name, May 14 '15 at 18:55
@SargeBorsch - Are you sure ?..But keystore gives a public API http://goo.gl/bDbiaI — Durai Amuthan.H, May 14 '15 at 19:44
As far as I know, there is no way to listen uninstall events from an app. However you may find a way through keeping tracks of analytics by sending periodic "Are you there?" messages with push service(no answer= uninstalled logic. yeah bad). But still it won't solve your removing cert issue. I also want to know if there is a solution for this — Ercan, May 15 '15 at 22:19

score 1 · Answer 1 · edited May 23 '17 at 12:33

1

you cant get the broadcast of package getting uninstalled for your own package. this may lead to inconsistency in the system. see this answer

edited May 23 '17 at 12:33

Community

1
1

answered Jun 08 '15 at 14:05

Alireza Rahimi

489
3
6

score 0 · Answer 2 · answered Jul 07 '15 at 06:53

Lookout Mobile has blogged about this due to the DigiNotar events, and provided some pretty good (read: lengthy) instructions which you can find here.

The gist of it is that you need to pull /system/etc/security/cacerts.bks and then remove the CAs from the store, then push the store back to the device and reboot. Their instructions require that you have Bouncy Castle (for decrypting the store), root access, and a working adb connection. I'm not sure if this applies to all versions of Android or not, but my guess would be that the location of the CA store hasn't changed in quite some time (if ever).

Can you give me the link for LookOut Mobile blogging about this problem ? — Durai Amuthan.H, Jul 07 '15 at 08:03

score 0 · Answer 3 · answered Jul 07 '15 at 07:17

0

As far as i know there is only a broadcast that tells that uninstall has completed ACTION_PACKAGE_REMOVED.

After uninstalling the app MyCertApp the event ACTION_PACKAGE_REMOVED is broadcasted. The code that handles ACTION_PACKAGE_REMOVED in MyCertApp is alredy gone at that time.

You can do the post-processing only with a second independant app that is still there and that can unistall itself after receiving that MyCertApp is gone.

The other hypotetical solution may be that your app has a menu-item "uninstall MyCertApp". I donot know if it is possible for an app to uninstall itselt

answered Jul 07 '15 at 07:17

k3b

14,517
7
53
85

As you said we can catch the broadcasted intent using the second app But its not the right way to go. Uninstalling without user permission is not allowed to third party apps(http://stackoverflow.com/a/10483669/730807) – Durai Amuthan.H Jul 07 '15 at 08:11
@Durai I agree that 2nd uninstall app "its not the right way to go" although the uninstaller will only uninstall itself (the other app was alredy uninstalled.) – k3b Jul 07 '15 at 11:30

How to remove App installed trusted CA cert on uninstalling the App

3 Answers3

Linked