Look at trusted certs

[ahoog42]

Probably relevant in an IR analysis.

This can be useful for mobile forensics, and also, it can be good to spot vulnerabilities in non-updated devices (which trust certificates that has been leaked or considered insecure). Also, it can be interesting for analyzing cheap phones where no firmware is available.

• Related: https://blog.lookout.com/blog/2011/08/31/for-rooted-android-device-users-open-heart-surgery-on-your-android-ca-store/
• Another pretty relevant blog: https://bluebox.com/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/

[dweinstein]

there are also cached pinned certs to look at on Android for some highly privileged apps like the Play store app.

root@shamu:/data/data/com.android.vending # ls app_sslcache
android.clients.google.com.443
books.google.com.443
lh3.ggpht.com.443
lh3.googleusercontent.com.443
lh4.ggpht.com.443
lh4.googleusercontent.com.443
lh5.ggpht.com.443
lh5.googleusercontent.com.443
lh6.ggpht.com.443
lh6.googleusercontent.com.443
safebrowsing.google.com.443
wallet.google.com.443

[dweinstein]

app_sslcache seems to be managed by SSLSessionCache and these folders exist in the app's /data/data dir so these are also interesting to look at for incident response with regard to trusted certificates.