5

I have setup following to test the Flutter's network security based on the Android document in order to implement Certificate Pinning:

Note that I specified the domain-config for api.somesite.com. So the app should only accept somesite.com certificate.

Note that android:networkSecurityConfig="@xml/network_security_config" is set in the AndroidManifest.xml.

In order to test the pinning certificate, I have two HTTP calls to two endpoints. One is from api.somesite.com and another is a random api.

However, both API endpoints work using the network security setting.

I am not sure what I am doing wrong and why following the Android document for pinning certificate doesn't seem to have any effect on flutter itself.

Any help would be much appreciated.

Steve Kim
  • 5,293
  • 16
  • 54
  • 99
  • you are using network_security_config.xml for using http website in your app? – MSARKrish Jun 04 '20 at 03:48
  • I updated my question to be more clear. So, following the Android document, I have specified `domain` config with the pin certificates, meaning, the network should only be connected to the `api.somesite.com` as this is the one specified. However, when I test API calls with `api.somesite.com` and another random one (which should not work), works.. I am a bit lost to how to make this work. – Steve Kim Jun 04 '20 at 03:57

1 Answers1

0

Take a look at this article: Fix Cleartext Traffic Error in Android 9 Pie

You may have as much domains as you need inside domain-config:

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">somesite.com</domain>
    <domain includeSubdomains="true">somesite2.com</domain>
</domain-config>

Don't add the domain with the "api." part.

Rod
  • 1,601
  • 12
  • 18