androidsslxamarin.formsxamarin.androidandroid-network-security-config

Trust anchor for certification path not found and Trust anchor possible resolution


I am trying to understand the Network Security config and the certs bit . So far I never had to bother to set up trust anchors in my config as the apps just worked and relied on what was set up on the server.

Suppose I have the following config with no trust anchor specified

    <?xml version="1.0" encoding="utf-8"?>
    <network-security-config>
      <domain-config cleartextTrafficPermitted="false">    
      </domain-config>
    </network-security-config>
  1. What is the default policy applied for certs in this case ?
  2. Will it trust any certificate set in my server?

Because I think we have a broken Cert chain (verified with an sslchecker.. ) but I have a situation that I cannot explain to collegues in the Network team and dont understand it either.

Why an android app when making an https call does not work if a Certificate Chain is broken(cannot reach an intermediate cert) but works in the browser?

What does system or user means? Can I just add this and the app will no longer give me the "Trust anchor for certification path not found"

    <?xml version="1.0" encoding="utf-8"?>
    <network-security-config>
        <base-config>
            <trust-anchors>
                <certificates src="system"/>
                <certificates src="user"/>
            </trust-anchors>
        </base-config>
    </network-security-config>
    

Can you shed the light? looked at the Android docs but not clear to me. Can you spend 5 mins to explain to me. google did not help this time

Thank you


Solution

  • What is the default policy applied for certs in this case ?

    By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default. An app can customize its own connections using base-config (for app-wide customization) or domain-config (for per-domain customization).

    Will it trust any certificate set in my server?

    You could trust a custom set of CAs instead of the platform default. For more details about this, please check the document. https://developer.android.com/training/articles/security-config#CustomTrust