android-network-security-configsslpinning

Certificate Pinning not working when trust user certificates in network security configuration


I am learning network security configuration in Android. Here is my configuration file

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>

    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">*.xx.com</domain>
        <pin-set expiration="2031-05-01">
            <!-- these two are certificates in *.xx.com certificate chains -->
            <pin digest="SHA-256">8Rxjasdfk7jjlasdnP6sdkxnjkkqaGZfjnxkynxndA=</pin>
            <pin digest="SHA-256">K0z9yJZklpaxAjkasxYjkLsUzxdUoewxj1z3z8lNgA=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

When I use Charles to capture the network traffic, urls under *.xx.com still can be loaded normally. In my thoughts, configuration <pin-set> would make connection failed since the certificates from Charles can't pass the certificate pinning validation.

If I remove <certificates src="user"/>, the certificate pinning works and urls under *.xx.com can't be loaded. I doubt trusting user certificates make certificate pinning out of work. Do I make something wrong?


Solution

  • I made a mistake. The domain should be xx.com here not *.xx.com, while *.xx.com is used in OkHttp CertificatePinner.