Reputation: 1759
Network security configuration not working with third party API
My app is getting a SSLHandshakeException since I updated my app to use a network security config.
The app do requests to two servers. One of them is an develpment server accessible only in my company network. The other one is a public server running an ArcGIS Server. The domain is able to communicate over TLS 1.2.
So, I expect everything to works just adding a rule to my private development server. This is the content of my network security config:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">172.17.1.14</domain>
</domain-config>
</network-security-config>
Unfortunately, any requests to my public server (using an third party API from server manufactury) are resulting in the following exception:
Caused by: java.security.cert.CertificateException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:111)
at com.esri.arcgisruntime.internal.e.a.a.checkServerTrusted(SourceFile:161)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:212)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
Since my public server has a valid certificate and in TLS 1.2 aware, it would not happen, right?
The following network security config works fine, but it is insecure:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
In addiction, I read that Facebook's Audience Network Android SDK also experienced issues with the network security configuration because they cache files at localhost. I've tried the same solution proposed by them but it also didn't work: https://developers.facebook.com/docs/audience-network/android-network-security-config/
What did I have done wrong? Sniffing the emulator network did not show up any requests other then expected.
Upvotes: 2
Views: 3779
Answers (1)
Reputation: 338
I've faced similar issues too. After some investigation, I've found an issue on Github where was a details description of why this issue could happen: https://github.com/microsoft/cpprestsdk/issues/1313
In short, it's a new behaviour of the Android Framework. If your network config contains any <domain-config blocks, Framework throws CertificateException if you call checkServerTrusted(X509Certificate[] certs, String authType) in X509TrustManager. So instead you should use X509TrustManagerExtensions and call method with a hostname in a signature.
Upvotes: 3
Related Questions
- No Network Security Config specified, using platform default - Android Log
- NetworkSecurityConfig: No Network Security Config specified, using platform default Error response code: 400
- Added Passpoint not connecting
- Android Network Security on API <24
- android: network security config only in debug version
- Android studio- No Network Security Config specified
- No Network Security Config specified, using platform default
- Using Network Security Config for Custom CAs
- How do I get the benefit of Network Security Config in my library?
- Allow network connection to a specifc app