Hello, I'm new to certificates so apologies in advance for the noob questions.

I'm interested in browsing through the directories where certificates are stored in GrapheneOS. Based on this link, it looks like there are several possible locations for stock Android.

In my phone, I found a bunch of files under /system/etc/security/cacerts, which I assume are the pre-installed ones we can view under Settings > Security > More security settings > Encryption and credentials > Trusted credentials > System. What are the paths to the directories where other installed certificates are stored?

I also have a few follow-up questions:

  • What is the best way to check the authenticity of these certificates?
  • Hypothetically, could an attacker install certificates that would direct the user to malicious versions of sites, in a way that would not be detectable by Auditor?

Thanks in advance for any thoughts.

    Those links may interest you:

    • Android use Conscrypt with BoringSSL to update certificates wihout needing an OS update. And provide roots of trust for public keys :

    Android 14 introduces an updatable root trust store within Conscrypt. CA certificates (or certs) provide the roots of trust for public keys used within Android and the internet at large. These certificates are routinely checked to ensure proper cryptographic signing, so they must be provided and stored on all devices that rely on them.

    To do a by hand check you can go to the Android source code certificates page :

    https://android.googlesource.com/platform/system/ca-certificates/+/master/files/

    Now to compare both go on your phone through :

    Settings > Security > More security settings > Encryption & credentials > Trusted credentials > tap to display particular certificate.

    To verify certificate authenticity more easily you will need to search a certificate checker app to compare certificates in your device and another trusted database.

      Hat Thank you! These are very useful resources. I'll look into certificate checker apps as well.

      2wnin All of the system certificates are built into the OS and verified by verified boot. There's no other place they can be provided. It's possible to update OS components out-of-band via APEX component updates which are also covered by verified boot. We don't use out-of-band APEX component updates for GrapheneOS though. There's no reason to verify OS components case-by-case since it's verified by verified boot. See https://grapheneos.org/install/web#verifying-installation.

      Hat The only possible updates are through APEX component updates which are covered by verified boot like the OS images. APEX components have basic downgrade protection which prevents them getting downgraded earlier than the version in the OS. The core OS itself has strict downgrade protection for verified boot based on storing the current security version in the secure element which is enforced as part of verifying it. For boot chain firmware, it's done via eFuses.

      • Hat likes this.