Reputation: 26441
Default Network Security Configuration behaviour in Android
What is default behaviour for an application when there is no network security config declared?
Would the system would reject user certificates in such case, or it depends on compiled API version of the app?
Upvotes: 1
Views: 715
Answers (1)
Reputation: 1006674
Would the system would reject user certificates in such case
Yes, if your targetSdkVersion is 24 or higher. Quoting the documentation:
By default, apps that target Android 7.0 only trust system-provided certificates and no longer trust user-added Certificate Authorities (CA). Apps targeting Android 7.0 (API level 24) that wish to trust user-added CAs should use the Network Security Config to specify how user CAs should be trusted
If your targetSdkVersion is 23 or lower, user certificates should still be honored, even without a network security configuration.
Upvotes: 4
Related Questions
- Android SSL Certificate pinning
- Certificate Pinning not working when trust user certificates in network security configuration
- Bypass certificate pinning for development builds with network-security-config.xml?
- Certificate Pinning in OkHttp vs Android Network Security Config
- Android Network Security on API <24
- Android N Network Security Configuration for run time downloaded Self-Signed Certificate
- How do I get the benefit of Network Security Config in my library?
- What Do We Use for Android N Network Security Configuration for a Self-Signed Certificate?
- SSL Pinning Certificate
- Android: HttpsUrlConnection and Pinset Example