Pre-installed PdfViewerActivity does not work with SelfSigned trusted user certificate Android 11 ver 2

Question

I have a server with SelfSigned certificate. This certificate has been added to the Trusted credentials/User list on the Android 11 device. My application and browser work correctly with it: I can download pdf file from MyServer througt Chrome browser.

My network-security-config.xml

<network-security-config xmlns:tools="http://schemas.android.com/tools">
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors tools:ignore="AcceptsUserCertificates">
            <!-- Trust preinstalled CAs -->
            <certificates src="system" />
            <!-- Additionally trust user added CAs -->
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

But, when I try to open pdf file I got SSLHandshakeException from PdfViewerActivity. My code:

Intent pdfIntent = new Intent(Intent.ACTION_VIEW, Uri.parse("https://www.myserver.com/example.pdf"));
startActivity(pdfIntent);

Error log:

I/ActivityTaskManager: Displayed com.google.android.apps.docs/com.google.android.apps.viewer.PdfViewerActivity: +163ms

E/HttpUriOpener: general IOException: SSLHandshakeException

E/PdfViewerActivity: fetchFile:https: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Is it bug inside PdfViewerActivity or I have done something wrong? I will appreciate any idea how to fix this problem.

UPD: Trust Anchor not found for Android SSL Connection is NOT the answer to my question. It does not contains information about work with SelfTrusted sertificate on Android 11.

Answer 1

Is it bug inside PdfViewerActivity or I have done something wrong?

Neither. There are dozens of possible PDF viewer apps that might be launched by that Intent. None of them are your app, and so none of them are affected by your network security configuration. And on newer versions of Android, user-installed certificates are ignored by default.

You will need to download the PDF file yourself, then use FileProvider and its getUriForFile() method to get a Uri to use with your Intent.

Alternatively, you could switch the server to use a regular SSL certificate (e.g., Let's Encrypt) instead of a self-signed certificate, if that is practical for your situation.