For debugging my app that connects over HTTPS, I want to connect to a local development server, which does not have the SSL certificate for my production server.
I read that I can do this without any modification to my app's code by specifying debug-only CAs, which are trusted only when android:debuggable is true.
This seems to be working, however, the suggested app code example in the following link is not clear. https://developer.android.com/training/articles/security-config.html#TrustingDebugCa
Code example
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="@raw/debug_cas"/>
</trust-anchors>
</debug-overrides>
</network-security-config>
This code example is not clear, because I do not know what debug_cas is. Can someone help me with this?
I was able to get this working using the following code, however, I am not sure if setting the src="user" is secure.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
