Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
-
Upload
blueboxer2014 -
Category
Mobile
-
view
172 -
download
2
Transcript of Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
![Page 1: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Andrew Blaich, PhD
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
MBS-R03
Lead Security AnalystBluebox Security
@ablaich
![Page 2: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/2.jpg)
#RSAC
2
Who are you trusting?
How much trust do you put in your phone? How many vendors have modified your OS? How many applications and services are running on your device? How many libraries are loaded for an app? How many roots of trust exist for network connections?
![Page 3: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/3.jpg)
#RSAC
3
Who are you trusting?
How much trust do you put in your phone? How many vendors have modified your OS?
Google -> Samsung -> Qualcomm -> AT&T -> Others?
How many applications and services are running on your device? 300+ apps/services on a Samsung Galaxy Note 3
How many libraries are loaded for an app? 100+ shared libraries on a Samsung Galaxy Note 3
How many entities are trusted for network connections? 150 + on Android 200+ on iOS
![Page 4: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/4.jpg)
#RSAC
4
Circle of TrustOEMs
Libs
Apps
CAs
Component Suppliers
Carriers
Trust Circle
![Page 5: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/5.jpg)
#RSAC
5
Trustable by Bluebox
Example of a brand new out of the box device and all the entities that you would trust on it.
![Page 6: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/6.jpg)
#RSAC
6
Same device, different carriers
![Page 7: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/7.jpg)
#RSAC
7
![Page 8: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/8.jpg)
#RSAC
8
Circle of TrustOEMs
Libs
Apps
CAs
Component Suppliers
Carriers
Trust Circle
![Page 9: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/9.jpg)
#RSAC
9
Circle of TrustOEMs
Libs
Apps
CAs
Component Suppliers
Carriers
Trust Circle
![Page 10: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/10.jpg)
#RSAC
10
Secure Connections
Apps CAs Network
![Page 11: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/11.jpg)
#RSAC
11
![Page 12: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/12.jpg)
#RSAC
12
![Page 13: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/13.jpg)
#RSAC
13
![Page 14: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/14.jpg)
#RSAC
![Page 15: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/15.jpg)
#RSAC
![Page 16: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/16.jpg)
#RSAC
…
![Page 17: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/17.jpg)
#RSAC
17
![Page 18: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/18.jpg)
#RSAC
18
![Page 19: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/19.jpg)
#RSAC
19
Not only browsers…
![Page 20: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/20.jpg)
#RSAC
20
Certificate Authorities
What certificate authorities are on my device?
How many are there?
Who are these certificate authorities?
How did they get on my device?
What security concerns are there?
![Page 21: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/21.jpg)
#RSAC
21
Objectives
Learn more about who your device is trusting
Learn about the roles CAs play in secure communications
Learn the history behind these CAs
Learn how you can take action to decrease your circle of trust
![Page 22: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/22.jpg)
#RSAC
Background -Certificate Authorities
![Page 23: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/23.jpg)
#RSAC
23
Body
What is a CA?
How do they get on the device?
How many are there?
User installable vs. system pre-loaded (also talk about carrier and OEM additions or removals)
iOS VPN and Android VPN case study
![Page 24: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/24.jpg)
#RSAC
24
Certificate Authorities
What is a certificate authority? They validate that who you are talking to is who they say they are
Are you Google.com?
Yes, CA-A says I am.
TrustedCAs:CA-A
TRUSTED CONNECTION
![Page 25: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/25.jpg)
#RSAC
25
Certificate Authorities
What is a certificate authority? They validate that who you are talking to is who they say they are
Are you Google.com?
Yes, CA-M says I am.
NOT TRUSTED CONNECTION
TrustedCAs:CA-A
![Page 26: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/26.jpg)
#RSAC
26
CA Chain of Trust
What is the chain of trust?
![Page 27: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/27.jpg)
#RSAC
27
Trusted Certificate Chain
Verified == Trusted Chain
The root CA to verify this chain is installed on the device making the trust chain verifiable and thus it is considered a trusted and secured connection.
![Page 28: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/28.jpg)
#RSAC
28
Un-trusted Certificate Chain
Un-verified == Un-Trusted Chain
The root CA to verify this chain is missing from this device making the trust chain un-verifiable and thus not-trusted and in-secure.
![Page 29: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/29.jpg)
#RSAC
29
Types of Root CAs
Pre-installed root CAs
User-installed root CAs
![Page 30: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/30.jpg)
#RSAC
30
Why is this a concern?
A malicious or compromised root CA can read your secure traffic CNNIC and MCS Holdings Lenovo and Superfish …
![Page 31: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/31.jpg)
#RSAC
Pre-installed Root CAs
![Page 32: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/32.jpg)
#RSAC
32
Root CA Approval Process
MicrosoftMozilla Apple
Root Certificate Programs
others
![Page 33: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/33.jpg)
#RSAC
33
Mozilla Root CA Approval Process
Linux and Android are strongly tied to the Mozilla process.
![Page 34: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/34.jpg)
#RSAC
34
CA Trust Infrastructure
The effectiveness of the global PKI trust infrastructure relies on keeping the designated roots of trust fully secure and operating correctly.
CA -A CA -B
Issue cert for *.google.com
Trusted Root CAs
No. Issue cert for *.google.comOk.
Compromised CA
![Page 35: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/35.jpg)
#RSAC
35
CAs on Mobile Devices
162227
System InstalledCertificates
5.1
8.3
![Page 36: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/36.jpg)
#RSAC
36
Root CA Reference Links
iOS: http://support.apple.com/en-us/HT204132
Trusted Always Ask Blocked
Android: https://android.googlesource.com/platform/libcore/+/master/luni/src/ma
in/files/cacerts/
![Page 37: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/37.jpg)
#RSAC
37
CA Classifications
Known Failures in Keeping Trust
Government-Based Roots of Trust
Cause for Concern
Artificial Constraints
Everything else
![Page 38: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/38.jpg)
#RSAC
Known Failures
![Page 39: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/39.jpg)
#RSAC
39
Known Failures with CAs
“Hacked” CAs: CNNIC/MCS Holdings [2015] Comodo [2011] DigiNotar [2011] GlobalSign [2011] India CCA [2014] RapidSSL (indirect) [2008]
![Page 40: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/40.jpg)
#RSAC
40
Apple’s Blocked CA List
CA Name ReasonsTurkTrust Issued an inappropriate sub-CA cert that
was used to issue a *.google.com certEntrust Issued a wildcard cert for Apple domainsGTE CyberTrust Solutions Issued 4 sub-CA certs for DigiNotarDigiNotar Issued itself another sub-CA certEntrust Issued 2 sub-CA certs for DigiNotarEntrust Issued a sub-CA cert for Digicert Sdb. Bhd
(practices of this CA in Malaysia were found to be inappropriate)
![Page 41: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/41.jpg)
#RSAC
41
Apple’s Blocked CA List – cont’d.
CA Name ReasonsGTE Issued a sub-CA cert for Digicert Sdb. BhdTrustwave Issued a sub-CA cert to Micros SystemsXramp Issued a sub-CA cert to TrustwaveTurkTrust Issued a sub-CA cert to KKTC Merkez
Bankasi
![Page 42: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/42.jpg)
#RSAC
Government CAs
![Page 43: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/43.jpg)
#RSAC
43
Government Related CAs
Allowed to use an internal audit for
approval.
![Page 44: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/44.jpg)
#RSAC
Causes for Concern - CAs
![Page 45: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/45.jpg)
#RSAC
45
Causes for Concern
![Page 46: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/46.jpg)
#RSAC
46
Causes for Concern – cont’d.
![Page 47: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/47.jpg)
#RSAC
47
Causes for Concern – cont’d.
![Page 48: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/48.jpg)
#RSAC
Artificial Constraints
![Page 49: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/49.jpg)
#RSAC
49
Artificial Constraints
Cert Subject Reason For Constraint
CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
Issued several un-authorized certificates for Google domains. TLD restrictions:.fr (France), .gp (Guadeloupe) , .gf (Guyane) , .mq (Martinique) , .re (Réunion) , .yt (Mayotte), .pm (Saint-Pierre et Miquelon) , .bl (Saint Barthélemy) , .mf (Saint Martin) , .wf (Wallis et Futuna) , .pf (Polynésie française) , .nc (Nouvelle Calédonie) , .tf (Terres australes et antarctiques françaises)]
![Page 50: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/50.jpg)
#RSAC
50
Artificial Constraints –cont’d.
![Page 51: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/51.jpg)
#RSAC
51
Artificial Constraints –cont’d.
?
![Page 52: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/52.jpg)
#RSAC
52
Apple’s Extended TrustType Count NotesUS Federal Certificates 5 4 are not on Android
1 is under review by Mozilla
Present on iOS, but requested for removal on Mozilla/Android
3 2 deprecated from AOL/Time Warner1 deprecated from Danish IT
Other Entities added by Apple 15 5 from Apple3 from Denmark2 from Swiss Government2 from Belgium1 from Cisco1 from Czech Republic1 from Canada
![Page 53: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/53.jpg)
#RSAC
CA Cryptography Analysis
![Page 54: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/54.jpg)
#RSAC
54
Public Key-Size
Key Type/Size Count Notable Entities
Elliptic Curve 6 GeoTrust, VeriSign, COMODO, Thawte, Entrust, AffirmTrust
RSA / 1024 bit 15 FNMT, GTE CyberTrust, Equifax, Netlock Halozatbiztonsagi, VeriSign, ValiCert, Thawte Consulting, Entrust
RSA / 2048 bit 101 N/A
RSA/ 4096 bit 14 N/A
![Page 55: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/55.jpg)
#RSAC
55
Hash Algorithm
Signature Algorithm Count Notable Entities
ecdsa-with-SHA384 6 GeoTrust, VeriSign, COMODO, Thawte, Entrust, AffirmTrust
md5WithRSAEncryption 6 GTE, Netlock, Equifax
sha1WithRSAEncryption 115 N/A
sha256WithRSAEncryption 28 N/A
sha384WithRSAEncryption 1 N/A
![Page 56: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/56.jpg)
#RSAC
56
CA Consolidation
Symantec Owned Entity Number of Certificates on Android
GeoTrust 7
Verisign 7
TC Trust Center 3
Network Solutions 1
Thawte 5
Equifax 3
Total: Symantec controls 25 of the total 156 certificates or ~16% ownership of the Android roots of trust
![Page 57: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/57.jpg)
#RSAC
57
CA Consolidation – cont’d.
![Page 58: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/58.jpg)
#RSAC
58
CA Consolidation – cont’d.
![Page 59: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/59.jpg)
#RSAC
59
Additional CAs
Some OEMs and carriers add additional certificates into the ROM that are not found in AOSP: Sony Xperia running 4.4.4 includes
two root certs for Sony iOS has several additional certificates
that Android does not currently* have e.g.: Cisco and US Government
![Page 60: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/60.jpg)
#RSAC
User-installed Root CAs
![Page 61: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/61.jpg)
#RSAC
61
User installed root CAs
![Page 62: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/62.jpg)
#RSAC
VPN Case-Study
![Page 63: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/63.jpg)
#RSAC
63
VPN, Anonymization, Privacy Providers
Looked at 10 of the top VPN Service Provider services in the Apple App Store and the Google Play Store: iOS – App Store
6 out of 10 of the iOS Apps used an MDM VPN Profile that DID install a 3rd party certificate
Android –Google Play Store 10 out of 10 of the Play Store apps did not install a 3rd party certificate
![Page 64: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/64.jpg)
#RSAC
64
Decreasing your Trust Circle
Android: Manually
Settings -> Security -> Trusted credentials Disable or Enable each CA
iOS: No direct method on iOS…
![Page 65: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/65.jpg)
#RSAC
65
Bluebox Trust Managers
https://bluebox.com/technical/trust-managers/
View and Manage the Root CAs on your Device
![Page 66: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/66.jpg)
#RSAC
66
Summary
Learn more about who your device is trusting iOS and Android have an increasing amount of roots of trust
Learn about the roles CAs play in secure communications Without a CA we cannot verify that who we are talking to is legitimate
Learn the history behind these CAs Sometimes things go wrong with CAs
Learn how you can take action to decrease your circle of trust Manual certificate management Download Bluebox Trust Manager for iOS and Android
![Page 67: Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices](https://reader038.fdocuments.net/reader038/viewer/2022110312/55b94425bb61eb4d6f8b4605/html5/thumbnails/67.jpg)
#RSAC
67
Apply
Learn more about what your device is trusting: Download Trustable by Bluebox
(https://play.google.com/store/apps/details?id=com.bluebox.trust)
View the root CAs on your device: Android System Settings Download Bluebox Trust Manager (Android and iOS)
Manage the root CAs on your device (root/jailbreak) required: Android System Settings Download Bluebox Trust Manager (Android and iOS)