I am trying to understand the Network Security config and the certs bit . So far I never had to bother to set up trust anchors in my config as the apps just worked and relied on what was set up on the server.
Suppose I have the following config with no trust anchor specified
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
</domain-config>
</network-security-config>
Because I think we have a broken Cert chain (verified with an sslchecker.. ) but I have a situation that I cannot explain to collegues in the Network team and dont understand it either.
Why an android app when making an https call does not work if a Certificate Chain is broken(cannot reach an intermediate cert) but works in the browser?
What does system or user means? Can I just add this and the app will no longer give me the "Trust anchor for certification path not found"
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
Can you shed the light? looked at the Android docs but not clear to me. Can you spend 5 mins to explain to me. google did not help this time
Thank you
What is the default policy applied for certs in this case ?
By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default. An app can customize its own connections using base-config (for app-wide customization) or domain-config (for per-domain customization).
Will it trust any certificate set in my server?
You could trust a custom set of CAs instead of the platform default. For more details about this, please check the document. https://developer.android.com/training/articles/security-config#CustomTrust