My Android phone (Kitkat) list a LOTS of CA under setting->security->Trusted cre

Question

My Android phone (Kitkat) list a LOTS of CA under setting->security->Trusted credential, does it mean that anyone who has accessed to anyone of those private keys of those CA(s) can monitor or do "Man in the Middle" attack between my phone when it communicate with the internet?

I assume one can monitor not just the browser in the phone, but also all encrypted https communication if any app uses https, correct?

Also, if I installed my own CA into the USER part of the phone, can I monitor all https encrypted communication between my phone and the app's server in the net?

I wouldn't mind knowing more details on what all the apps are talking to the server about me, especially when they are encrypted. :-)

Explanation / Answer

Anyone with access to the private key of one of these CAs ( or their subordonate CAs) may issue certificates that your phone will consider valid. But they cannot inspect or monitor communication encrypted with someone elses keys (i.e. other CA).

If you install your own CA certificate you can issue fake certificates for any site you want to, and for Instance use an intercepting proxy ( Such as Burpsuite from portswigger or ZED attack proxy ) to man in the middle attack yourself and inspect the traffic with certificates your phone and most apps on the phone will accept as valid. (unless the app has utilized ssl/tls pinning) Doing this is easy on an iphone and a bit more complicated on android, google around for intercepting proxy on android, or maybe someone using an android phone can give you some pointers.

Related Questions

Navigate

• Browse (All)
• Browse M
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.