Starting from Android API level 24 it is possible to define a Network Security Configuration and reference it from the Android Manifest:
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="#xml/network_security_config"
... >
...
</application>
</manifest>
Source: https://developer.android.com/training/articles/security-config.html#manifest (accessed 2021-08-10)
I have a use case where a number of CA certificates are included in an Android library that I am using. I would like to restrict my security configuration to these certificates using trust-anchors.
The network security configuration allows this:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<trust-anchors>
<certificates src="#raw/my_ca"/>
</trust-anchors>
</domain-config>
</network-security-config>
Source: https://developer.android.com/training/articles/security-config.html#ConfigCustom (accessed 2021-08-10)
But the certificates are located in my Android library and I don't want to duplicate the files.
How can I reference the library CA certificates from my apps network security configuration?
CA certificates should be put in the res/raw folder, not in the assets folder, in the library project.
This way it is possible to reference the certificates from the app using the library through the network security configuration.
At least everything compiles now. Although, I have not yet verified a fully working setup due to a different issue, see: Combine Network Security Configuration with OkHttp and custom CAs
Related
I have a Xamarin.Forms application, for which I am able to debug in cleartext (http) mode, based on the inclusion of a network_security_config.xml file as follows:
<network-security-config>
<base-config cleartextTrafficPermitted="true" />
</network-security-config>
However, if I move the cleartextTrafficPermitted setting inside of a debug-overrides tag as follows, I get the error "Cleartext HTTP traffic to MYSITE is not permitted."
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<base-config cleartextTrafficPermitted="true" />
</debug-overrides>
</network-security-config>
My application is running in debug mode. Even though app debugging was already working and mode was Debug, just in case I tried adding debuggable:true explicitly to the application tag in my AndroidManifest.xml, and have also tried adding (Debuggable = true) as a parameter in the ApplicationAttribute over my main application class declaration, but regardless of how I set the app to be debuggable, the base-config tag seems to be ignored if it's nested inside of a debug-overrides tag. Am I doing something wrong? Is there some other way to allow for HTTP to be permitted in debug mode but not in release mode?
I would suggest you to use domain specific config.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<!-- default config that does not allow plain text traffic -->
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<!-- Specific config for local tests (enable plain text traffic) -->
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">localhost</domain>
</domain-config>
</network-security-config>
The debug-overrides tag, as described in the android documentation, does not take the cleartextTrafficPermitted option.
This likely happens because you are referring to the debug mode of Android and Xamarin doesn't use it in its debug mode.
I cannot fully confirm this, but this is the only possible reason I can think of. As Xamarin doesn't use Java virtual machine on Android to run it likely can't use debug that is intended for this virtual machine.
Changing the [Application] attribute over my Application class as follows allows me to use HTTP during debug compiles only:
#if(DEBUG)
[Application(UsesCleartextTraffic=true)]
#else
[Application]
#endif
android:usesCleartextTraffic="true"
put this line in application tag in manifest file.
Before you mark this question as duplicate here me out.
I have added the res/xml/network_security_config.xml file and declared it in the AndroidManifest file but I am still getting this error:
Error while pinging URL: http://google.com. Cleartext HTTP traffic to google.com not permitted
network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">127.0.0.1</domain>
</domain-config>
AndroidManifest.xml
<application
android:networkSecurityConfig="#xml/network_security_config"
...
</application>
Important points:
I can't use https because its coming from a library that I am using. Facebook ad mediation library to be more specific.
When I use android:usesCleartextTraffic="true" in the manifest file instead of using network_security_config file it works.
Also when I use base-config instead of domain-config inside the network_security_config (of course I change the format to use base-config) then it also works.
But as many of the developers suggested, this is not a safe solution. Can anyone tell me if it is actually safe of not?
How can I solve this issue?
I am trying to do a debug session on an App (Android) by monitoring the outbound/inbound HTTP traffic on Andy emulator.For SSL traffic I get following error :
Failure: SSLHandshake: Unsupported curveId: 29
In the past I was not receiving above error using that app .Could you guys tell me what this error means and how to fix it?Is there any problem within the app that causes to receive SSL error? Thanks
See the Android section in their documentation https://www.charlesproxy.com/documentation/using-charles/ssl-certificates
You need to add a network security config file for Android N and higher devices.
From Android N+, we have to add the Certificate in your app in network_security_config.xml and manifest.xml in order to intercept the HTTPS Traffic.
network_security_config.xml
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
manifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="#xml/network_security_config" ... >
...
</application>
</manifest>
Here is the quick tutorial: https://docs.proxyman.io/debug-devices/android-device
I have a live working restful API returning JSON data created with nodeJS and uploaded to a webServer. Also I'm using react native to build the front end for both android and IOS. The api works fine and returns data as expected when I build debug version of the app in android using 'react-native run-android'. But the app seems to be unable to fetch data from the API while I build the release version in android using 'cd android && ./gradlew assembleRelease'. I can't see any hits in the node server from my app.
I'm using axios for my http requests.
My problem is resolved. As of Google's official documentation, requests to a web Server is possible only with a secured domain with valid SSL certificate.To force HTTP requests from insecure domain or domain with self signed certificate, just add a file in
"yourProject/android/app/src/main/res/xml/network_security_config.xml"
with following contents-
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<!-- For React Native Hot-reloading system -->
<!-- If you are running on a device insert your computer IP -->
<domain includeSubdomains="true">localhost</domain>
<domain includeSubdomains="true">your own domain ip</domain>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</domain-config>
<base-config cleartextTrafficPermitted="false" />
</network-security-config>
and then import the xml file by adding this line to AndroidManifest.xml between application tag-
<application...
android:networkSecurityConfig="#xml/network_security_config"
...>
Adding android:usesCleartextTraffic="true" in android/app/src/main/AndroidManifest.xml works well for me. We may want to add also in the debug folder (sibling of main) for development purpose.
As per Android N documentation -
By default, apps that target Android N only trust system-provided certificates and no longer trust user-added Certificate Authorities (CA). Apps targeting Android N that wish to trust user-added CAs should use the Network Security Config to specify how user CAs should be trusted.
What I understood from the doc is that user installed certificates will no longer be trusted from Android N. So there should be a way to make it trust. Doc says you can specify the network sec config in manifest file like -
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="#xml/network_security_config"
... >
...
</application>
</manifest>
And then specify the network config -
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<trust-anchors>
<certificates src="#raw/my_ca"/>
</trust-anchors>
</domain-config>
</network-security-config>
But this is obviously static data. I am interested to know if there is a way to add certificates in trust store dynamically as in real scenarios will have dynamic certs and expiry scenarios. Docs did not clear these for me.
Q1. Any thought or suggestions on how to achieve dynamic addition of trusted certs?
Q2. Does this also affect other certs like wifi certs which may not be app specific? How to trust a custom wifi cert then? How to add it it native trust store?