Reputation: 717
Using Network Security Config for Custom CAs
I am working on an app where we are using custom CAs for user login. These CAs need to be installed on the device, otherwise login will fail. I came across the network security configuration available on Android. It appears that I can add the CAs to the config file within res/raw. I am okay with trusting these CAs in addition to the CAs provided by the system. Here is how the config file is currently done:
<network-security-config>
<base-config>
<trust-anchors>
<!-- Trust preinstalled CAs -->
<certificates src="system" />
<!-- Additionally trust user added CAs -->
<certificates src="user" />
<certificates src="@raw/cert1" />
<certificates src="@raw/cert2" />
<certificates src="@raw/cert3" />
<certificates src="@raw/cert4" />
<certificates src="@raw/cert5" />
<certificates src="@raw/cert6" />
<certificates src="@raw/cert7" />
<certificates src="@raw/cert8" />
<certificates src="@raw/cert9" />
</trust-anchors>
</base-config>
</network-security-config>
The CA files that I've been given had the .cer extension. However, I was told that they are PEM encoded. So, I went ahead and changed the extension to .pem since that's what the Android documentation states.
However, even after I've included these CA files to my codebase and do a clean install of the app onto a device (app wasn't previously installed), login is failing. In addition, when I go under the settings on the device, the CAs aren't installed or physically found on the device. What's the purpose of this then? Did I implement this correctly? Or is this intended for something else?
Can I get away with specifying the CAs within my network security XML or do I need to programatically install the CAs? As always, any assistance on this would be greatly appreciated.
Upvotes: 1
Views: 795
Answers (1)
Reputation: 1007494
These CAs need to be installed on the device, otherwise login will fail
The user will need to install those certificates manually, through the Settings app.
In addition, when I go under the settings on the device, the CAs aren't installed or physically found on the device
Correct. They are part of your app's network security configuration. They are not installed on the device as device-wide certificates.
What's the purpose of this then?
They are for allowing your app to communicate with certain servers.
If your objective is for only your app to talk to the servers that uses these CAs, then your setup is fine, assuming that the actual files are OK (I had problems with this a while back).
If your objective is for any app on the device to talk to servers that use those CAs, the certificates will need to be installed manually, and the apps in question would need to opt into allowing user-supplied certificates (i.e., their network security configuration would need <certificates src="user" />).
Upvotes: 1
Related Questions
- No Network Security Config specified, using platform default - Android Log
- Android Network Security on API <24
- How to log in to this CAS system via Android
- android: network security config only in debug version
- Network security configuration not working with third party API
- How to have different network-security-config for different build variants?
- Android N Network Security Configuration for run time downloaded Self-Signed Certificate
- How do I get the benefit of Network Security Config in my library?
- What Do We Use for Android N Network Security Configuration for a Self-Signed Certificate?
- Web CAS authentication on Android