0

I'm trying to add a network-security-config which restricts connections to servers signed by a set of CAs that I've bundled in the app (actually in a library used by the app). I have an existing setup that works where the CAs are loaded into the trust store. Now that I added a network-security-config and try to test it, it doesn't seem to work.

Here is what I tried to do:

AndroidManifest.xml:

<application
            ...
            android:networkSecurityConfig="@xml/network_security_configuration"
...

network-security-configuration.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

What I would expect with this new config is that connections are not allowed to servers that are signed by self-signed CAs such as the ones I have bundled. But when I run the app the connections work fine, so the network-security-configuration does not seem to work...

What I ultimately would like to do is to add my CAs to the trust-anchors:

<certificates src="@raw/my_ca" />

My setup, App:

  • Android App Gradle Plugin 7.0
  • Targeting API 30

Library:

  • Android App Gradle Plugin 7.0
  • Targeting API 30

Phone:

  • Samsung Galaxy S20
  • Android 11 (=API 30)

Why is the network-security-configuration not applied?

Alix
  • 2,630
  • 30
  • 72
  • There is not enough information here to make an educated answer. Do you have sample code of how you are creating the client. Which servers are you connecting to – Yuri Schimke Aug 12 '21 at 05:50
  • The sample code would be huge unfortunately. What specific part do you want me to add? – Alix Aug 12 '21 at 07:32
  • The server I'm connecting to are servers with server certificates signed by the CAs that I've bundled in the library. Meaning these CAs are not trusted by the phone itself. Therefore I would expect that the network policy stops me from connecting to them even though I explicitly add them to the trust manager keystore in my code. – Alix Aug 12 '21 at 07:39
  • How about making a sample app in github that demonstrates the problem then? – Yuri Schimke Aug 12 '21 at 07:46
  • This is a proprietary product and I don't want to expose the servers and certificates for legal and security reasons. I will gladly share code snippets upon request. But I can't share the whole codebase – Alix Aug 12 '21 at 08:00

0 Answers0