1

I am working on an app where we are using custom CAs for user login. These CAs need to be installed on the device, otherwise login will fail. I came across the network security configuration available on Android. It appears that I can add the CAs to the config file within res/raw. I am okay with trusting these CAs in addition to the CAs provided by the system. Here is how the config file is currently done:

<network-security-config>
    <base-config>
        <trust-anchors>
            <!-- Trust preinstalled CAs -->
            <certificates src="system" />
            <!-- Additionally trust user added CAs -->
            <certificates src="user" />
            <certificates src="@raw/cert1" />
            <certificates src="@raw/cert2" />
            <certificates src="@raw/cert3" />
            <certificates src="@raw/cert4" />
            <certificates src="@raw/cert5" />
            <certificates src="@raw/cert6" />
            <certificates src="@raw/cert7" />
            <certificates src="@raw/cert8" />
            <certificates src="@raw/cert9" />
        </trust-anchors>
    </base-config>
</network-security-config>

The CA files that I've been given had the .cer extension. However, I was told that they are PEM encoded. So, I went ahead and changed the extension to .pem since that's what the Android documentation states.

However, even after I've included these CA files to my codebase and do a clean install of the app onto a device (app wasn't previously installed), login is failing. In addition, when I go under the settings on the device, the CAs aren't installed or physically found on the device. What's the purpose of this then? Did I implement this correctly? Or is this intended for something else?

Can I get away with specifying the CAs within my network security XML or do I need to programatically install the CAs? As always, any assistance on this would be greatly appreciated.

coolDude
  • 647
  • 2
  • 11
  • 27

1 Answers1

1

These CAs need to be installed on the device, otherwise login will fail

The user will need to install those certificates manually, through the Settings app.

In addition, when I go under the settings on the device, the CAs aren't installed or physically found on the device

Correct. They are part of your app's network security configuration. They are not installed on the device as device-wide certificates.

What's the purpose of this then?

They are for allowing your app to communicate with certain servers.

If your objective is for only your app to talk to the servers that uses these CAs, then your setup is fine, assuming that the actual files are OK (I had problems with this a while back).

If your objective is for any app on the device to talk to servers that use those CAs, the certificates will need to be installed manually, and the apps in question would need to opt into allowing user-supplied certificates (i.e., their network security configuration would need <certificates src="user" />).

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • thanks so much for your input on this! What you're saying makes sense and I'd definitely only want _my app_ to talk to the servers with the CAs I've specified. When I added my CAs as a raw resource, I initially changed the extension to `.pem`. However, I've since removed them and added the original `.cer` files. Now, login appears to be working on 2 different emulators. Again, I do appreciate your help on this though and helping me better understand the network security config. – coolDude Dec 21 '18 at 19:03
  • Side question - would you happen to know if Samsung devices are difficult to work with when it comes to these network security configs? I originally tried an S9 when I had the CAs as `.pem` in my codebase and it was not working properly on my S9. I'm going to try this again since I've changed the extension to `.cer`, but I was curious to know if you had any issues with Samsung devices and how they've implemented security. – coolDude Dec 21 '18 at 19:06
  • @coolDude: "would you happen to know if Samsung devices are difficult to work with when it comes to these network security configs?" -- I am not aware of any particular problems. However, Samsung compatibility has been a challenge overall, so I certainly cannot rule it out. "When I added my CAs as a raw resource, I initially changed the extension to `.pem`. However, I've since removed them and added the original `.cer` files." -- file extensions should be irrelevant for raw resources. If you changed the *content* as well as the extension, that very well could have an impact. – CommonsWare Dec 21 '18 at 19:12
  • Awesome, thank you so much once again. Appreciate it! – coolDude Dec 21 '18 at 19:21