androidsslpinningcertificate-pinningandroid-network-security-config

Default Network Security Configuration behaviour in Android


What is default behaviour for an application when there is no network security config declared?

Would the system would reject user certificates in such case, or it depends on compiled API version of the app?


Solution

  • Would the system would reject user certificates in such case

    Yes, if your targetSdkVersion is 24 or higher. Quoting the documentation:

    By default, apps that target Android 7.0 only trust system-provided certificates and no longer trust user-added Certificate Authorities (CA). Apps targeting Android 7.0 (API level 24) that wish to trust user-added CAs should use the Network Security Config to specify how user CAs should be trusted

    If your targetSdkVersion is 23 or lower, user certificates should still be honored, even without a network security configuration.