Self-signed certificates and Nativescript Android Apps

Question

I'm developing a Nativescript application that I'm debugging in an Android emulator. I have a service in that application that calls out to an ASP.Net Core API that is accessed via HTTPS. I've generated a self-signed certificate and added it to my personal and trusted stores using the following Powershell script

$selfSignedCert = New-SelfSignedCertificate `
-Subject "CN=10.0.2.2" `
-KeyExportPolicy Exportable `
-FriendlyName "My self-signed certificate" `
-DnsName "localhost","10.0.2.2" `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-NotAfter (Get-Date).AddYears(1) `
-CertStoreLocation "Cert:\CurrentUser\My" `
-TextExtension @("2.5.29.19 ={critical} {text}ca=true")

$thumbprint = $selfSignedCert.Thumbprint

Export-Certificate -Cert cert:\CurrentUser\my\$thumbprint -FilePath 
c:\Temp\MyCert.cer -force

Import-Certificate -filePath c:\Temp\MyCert.cer -CertStoreLocation 
"cert:\CurrentUser\Root"

I've then updated application.json of the API to serve this certificate from my store, i.e.,

{
    "Kestrel": {
      "Endpoints": {
        "HttpsInlineCertStore": {
          "Url": "https://localhost:5001",
            "Certificate": {
              "Subject": "10.0.2.2",
              "Store": "My",
              "Location": "CurrentUser"
            }
          }
        }
      }
 }

I've uploaded the same certificate to my Android emulator and see it installed in the Trusted credentials here

and User credentials here

I've updated my AndroidManifest.xml file to include network_security_config, i.e.,

<application
    android:name="com.tns.NativeScriptApplication"
    android:allowBackup="true"
    android:icon="@drawable/icon"
    android:label="@string/app_name"
    android:theme="@style/AppTheme"
    android:debuggable="true"
    android:networkSecurityConfig="@xml/network_security_config">

where network_security_config is

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="user"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>

However, when I attempt to call my API from within my Nativescript app, I get the following error

JS:     "originalStack": "Error: javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.0.2.2 not verified:\n    certificate: sha1/Ls/XF5mOCTPFkwc7SY//8DELFQU=\n    DN: CN=10.0.2.2\n    subjectAltNames: [localhost, 10.0.2.2]\n    at new ZoneAwareError (file:///data/data/org.nativescript.koffi/files/app/vendor.js:80939:33)\n    at onRequestComplete (file:///data/data/org.nativescript.koffi/files/app/vendor.js:100228:34)\n
   at Object.onComplete (file:///data/data/org.nativescript.koffi/files/app/vendor.js:100220:13)",
JS:     "zoneAwareStack": "Error: javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.0.2.2 not verified:\n    certificate: sha1/Ls/XF5mOCTPFkwc7SY//8DELFQU=\n    DN: CN=10.0.2.2\n    subjectAltNames: [localhost, 10.0.2.2...

Is this because the certificate is self-signed and not from a trusted CA, even though my XML configuration point to user for its trust anchors? Is it possible to use self-signed certificates when developing Android apps?

Answer 1

A common name (CN) should not be an ip address. You have to set an alternate name (SAN) as an ip address - 10.0.2.2 in your case.

Please add the parameter "-SAN <ip>" in your script. For powershell script, see the section "SubjectAlternativeName" here: https://www.sysadmins.lv/blog-en/self-signed-certificate-creation-with-powershell.aspx

You can generate your certificate/keys with other tools as well, like openssl and keytool. The easiest way I've found to generate is using keytool: https://medium.com/@piraveenaparalogarajah/ssl-issues-when-integrating-android-applications-with-local-is-server-7355b681dbc9