Remove "Network May Be Monitored by an Unknown Third Party" in Android 4.4 KitKat

If you have just updated to Android 4.4 KitKat, and you use a custom root certificate to sign SSL/TLS certs for your own server/website/WiFi then you may have had the “Network may be monitored by an unknown third party” prompt.

Android allows you to add user defined SSL Certificate Authority Certs, but it then complains about them continually, which is incredibly annoying!

Installing CAcert root certificates

I'm going to use the CAcert root certificates as an example, since so many people use their free certificate signing service.

  • Set a pattern or pin lock on your phone.
  • In the stock Android browser (not FireFox because it has its own cert management), navigate to the CAcert Cert Download Page and click on the PEM format keys
  • Click through the notifications to add the cert. You should now get notifications in your notification panel and a tile in the quick settings tray. You can view the certs by clicking the notifications, or: Settings --> Security --> Trusted Credentials --> User

Here’s how to permanently dismiss the security warning

To do this you need:

  • A rooted phone with Busybox and SuperSU installed
  • Android Terminal Emulator app (FOSS, available from Google Play or F-Droid)
  • Hacker’s Keyboard is useful in the terminal as it has arrow keys in landscape mode, but not essential. It is also available from F-Droid.

Open Android terminal emulator and type:

u0_a79@deb:/ $ su

Click the prompt to grant SuperUser access to Android Terminal Emulator app.

Now do the following.
Mount your system flash memory read-writable:

root@deb:/ # mount -o remount,rw /system

Change directory to where Android stores user imported certs:

root@deb:/ # cd /data/misc/keychain/cacerts-added/

List the certs you have imported:

root@deb:/ # ls

Use the cat command to read the certs and copy the contents to a new file in the folder where system certs are stored (replace “5ed36f99.0″ etc. with the cert file names). Note, we’re using cat because mv doesn’t work here – you get an error like “failed on ’5ed36f99.0′ – Cross-device link”.:

root@deb:/ # cat 5ed36f99.0 > /system/etc/security/cacerts/5ed36f99.0
root@deb:/ # cat e5662767.0 > /system/etc/security/cacerts/e5662767.0

Change directory to the location of the new certs, and list them in long format to show their permissions:

root@deb:/ # cd /system/etc/security/cacerts
root@deb:/ # ls -l

Change the permissions to match the other certs in the file (644 – readable by everyone, only root has permissions to write to the files):

root@deb:/ # chmod 644 5ed36f99.0 e5662767.0

If all went well, you can now reboot:

root@deb:/ # reboot

The new certs will now appear in the Trusted Credentials GUI

You can now remove the certs from the user section of Trusted Credentials, and those security warnings will disappear!

Quickly restoring CAcert root certs after OTA updates

If you use a cutom ROM like Paranoid Android or CyanogenMod then you may be receiving regular updates to the root filesystem that will undo these changes.

Following the steps above to restore the CAcert certificate every time can be a pain, so you might like to make a copy of the certs to a folder on your /sdcard/ and cat them across and change the permissions each time you receive an update.

If that still seems like a lot of effort, here's a script that will download the certificate from CAcert and do the rest for you:

#!/bin/sh

dlroot="/sdcard/CAcert-root"
dlclass3="/sdcard/CAcert-class3"


# md5sums for .der versions
md5root="a61b375e390d9c3654eebd2031461f6b"
md5class3="f72512824e67b5d08d92b77c0b867a42"


# final destinations for the certificates
destroot="/system/etc/security/cacerts/5ed36f99.0"
destclass3="/system/etc/security/cacerts/e5662767.0"


# Check for CAcert certificate and delete it if it already exists:
if [ -f $dlroot ]
then
  echo "Previously downloaded CAcert root detected, will be removed"
  rm $dlroot
fi

if [ -f $dlclass3 ]
then
  echo "Previously downloaded CAcert class 3 detected, will be removed"
  rm $dlclass3
fi


# download CAcert root certs from cacert.org
wget --output-document=$dlroot http://cacert.org/certs/root.der
wget --output-document=$dlclass3 http://cacert.org/certs/class3.der


# calculate md5sums for comparison
md5root_calc=$(md5sum $dlroot | cut -d " " -f 1)
md5class3_calc=$(md5sum $dlclass3 | cut -d " " -f 1)


# check MD5sums and abort if they don't match the expected values then abort
# NB: "[" is an alias for the "test" command which is in busybox
if [ $md5root_calc != $md5root ]
then
  echo "Calculated MD5sum for root cert ( $md5root_calc ) does not equal expected MD5sum ( $md5root ), aborting"
  exit 1
else
  echo "MD5sum for root cert OK"
fi

if [ $md5class3_calc != $md5class3 ]
then
  echo "Calculated MD5sum for class 3 cert ( $md5class3_calc ) does not equal expected MD5sum ( $md5class3 ), aborting"
  exit 1
else
  echo "MD5sum for class 3 cert OK"
fi


echo "Re-mounting root filesystem read-write"
mount -o remount,rw /system


echo "Copying certs to root filesystem"
cat $dlroot > $destroot
cat $dlclass3 > $destclass3

# check the write was successful, warn and abort if not
if [ ! -f $destroot ]
then
  echo "Something went wrong: root cert was not written to root filesystem"
  exit 1
fi
if [ ! -f $destclass3 ] 
then
  echo "Something went wrong: class 3 cert was not written to root filesystem"
  exit 1
fi

echo "Changing file permissions for certs to 644"
chmod 644 $destroot $destclass3

echo "Re-mounting root filesystem read only"
mount -o remount,ro /system

echo "Done!"

exit

Save it to your computer as android-cacert-script.sh and then use adb to transfer it:

adb push ~/android-cacert-script.sh /sdcard/android-cacert-script.sh

Now all you need to do after an update is open the terminal emulator app and type these commands:

su
sh /sdcard/android-cacert-script.sh

That's it! The script will warn you and abort if the certs downloaded don't match the expected md5sum.

Android app Move Certs

Yet another option is an app called "Move Certs" written by Felix Ableitner, which he kindly released under the GPLv3 free software licence. get it on F-droid!

Category: 
Type: 

Comments

I was struggling with the absence of Verisign extended validation ssl certificate and the warning after installing user certificate was annoying. These simple steps helped me in accessing my bank site. Thank you very much for this blog.

Great! Thanks for your comment :)

Sam

That looks like it could be handy... BUT, unless I'm mistaken it's not open source.

Why would you grant a proprietary app root privileges to achieve something trivial like this?

Release it as free software so people can see what it's doing... you know you want to!

Awesome! Have you considered adding it to F-droid?

I hope it does well! :)

Hi,

I followed these directions to the letter, rebooted and still had the warning triangle on the notification area. The solution....
Click on the triangle and press and hold on the offending certificate in the User section, scroll down and click remove.

Bingo! The annoying warning is gone!

I checked that I can still VPN into work using the cacert manually installed with the above instructions, all good.

Thanks for the excellent tutorial!

Cheers

Jon

Hi,

I am clearly a massive dufus, who didn't read to the end of your totally complete instructions!

Thanks again

Jon

Not sure if this is just me being an idiot again, but I can't get either the manual version (or the app) to move the certificate across on my new phone. If I look in the list of installed certificates after rebooting the newly added one isn't there. Also if I look in the actual folder where I cat'd the certificate to (and changed its permissions) after the reboot, it's no longer there. Any ideas?
Cheers
Jon

That's really weird, can you check if your partitioning is the same format as I've assumed? What's your device?

Any errors or messages when doing it manually?

Sam

Note: for Android 5.0+, the user imported certificates folder was moved
from
/data/misc/keychain/cacerts-added/

to
/data/misc/user/0/cacerts-added/

Thank you, I didn't know that (haven't used the script for a while).

Sam

In your script near the end, you potentially leave the /system partition mounted in read-write mode, which isn't the best idea.

In your error checking blocks on line 70 and 75, you should include an attempt to mount /system back into read-only mode, prior to calling exit.

Try issuing a `touch $destclass3 && chattr +i $destclass3` just before you attempt to cat the downloaded file to that location
Understandably, the failure should occur only if the /system partition cannot be written to, but in the off chance that one of the destination files are marked as immutable or write permission removed for root user, you will be left with a read-write /system partition due to this script.

Note that the immutable flag doesn't work on all devices and android-linux kernels.

Ed,

They didn't forget to renew! CAcert signs the certificate for its own website (because it's a root CA), so if you don't have the CAcert root cert in the trusted root certificate store on your device, you will get a certificate error.

Sam

Add new comment