Does Background Service Apps in Android 8 above restrict internet use without proper certificates

Question

I have a background service bound to my Foreground app. This service is being used to hit a web service to fetch some data from that particular web service. But when accessing that web service from that background app I am getting Certificate Exception.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
                at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:219)
                at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
                at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
                at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
                at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
                at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
                at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
                at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)
                at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)
                at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:461)
                at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
                at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:258)
                at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218)
                at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream(Unknown Source:0)
                at com.hhpos.inspection.remoteupdate.upgrade.reader.IDT_KIOSK_IV.sendDataToWebService(IDT_KIOSK_IV.java:591)
                at com.hhpos.inspection.remoteupdate.upgrade.reader.IDT_KIOSK_IV.startRemoteKeyInjection(IDT_KIOSK_IV.java:560)
                at com.hhpos.inspection.remoteupdate.upgrade.task.IDTECHRKIUpdateTask.onReceiveMsgRKIFailed(IDTECHRKIUpdateTask.java:201)
                at com.hhpos.inspection.remoteupdate.upgrade.reader.IDT_KIOSK_IV.startRemoteKeyInjection(IDT_KIOSK_IV.java:562)
                at com.hhpos.inspection.remoteupdate.upgrade.task.IDTECHRKIUpdateTask.onReceiveMsgRKIFailed(IDTECHRKIUpdateTask.java:201)
                at com.hhpos.inspection.remoteupdate.upgrade.reader.IDT_KIOSK_IV.startRemoteKeyInjection(IDT_KIOSK_IV.java:562)
                at com.hhpos.inspection.remoteupdate.upgrade.task.IDTECHRKIUpdateTask.onReceiveMsgRKIFailed(IDTECHRKIUpdateTask.java:201)
                at com.hhpos.inspection.remoteupdate.upgrade.reader.IDT_KIOSK_IV.startRemoteKeyInjection(IDT_KIOSK_IV.java:562)
                at com.hhpos.inspection.remoteupdate.upgrade.task.IDTECHRKIUpdateTask.onReceiveMsgRKIFailed(IDTECHRKIUpdateTask.java:201)
                at com.hhpos.inspection.remoteupdate.upgrade.reader.IDT_KIOSK_IV.startRemoteKeyInjection(IDT_KIOSK_IV.java:562)
                at com.hhpos.inspection.remoteupdate.upgrade.task.IDTECHRKIUpdateTask.processStep(IDTECHRKIUpdateTask.java:53)
                at com.hhpos.inspection.remoteupdate.upgrade.task.StepExecuter.prepareStepListAndExecute(StepExecuter.java:79)
                at com.hhpos.inspection.remoteupdate.upgrade.UpgradeManager.upgradeInstallationCheck(UpgradeManager.java:128)
                at com.hhpos.inspection.remoteupdate.upgradeservice.UpgradeMessengerService.lambda$initUpgradeProcess$5$UpgradeMessengerService(UpgradeMessengerService.java:148)
                at com.hhpos.inspection.remoteupdate.upgradeservice.-$$Lambda$UpgradeMessengerService$scw6CEKaLixMR64VyGJIWmfjCbY.subscribe(Unknown Source:4)
                at io.reactivex.rxjava3.internal.operators.single.SingleCreate.subscribeActual(SingleCreate.java:40)
                at io.reactivex.rxjava3.core.Single.subscribe(Single.java:4813)
                at io.reactivex.rxjava3.internal.operators.single.SingleSubscribeOn$SubscribeOnObserver.run(SingleSubscribeOn.java:89)
                at io.reactivex.rxjava3.internal.schedulers.ScheduledDirectTask.call(ScheduledDirectTask.java:38)
                at io.reactivex.rxjava3.internal.schedulers.ScheduledDirectTask.call(ScheduledDirectTask.java:26)
                at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
                at java.lang.Thread.run(Thread.java:764)
                
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
                at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:646)
                at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:605)
                at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:605)
                at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
                at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
                at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
                at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
                at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
                at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:197)
                at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:399)
                at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
                at com.android.org.conscrypt.SslWrapper.doHandshake(SslWrapper.java:374)
                at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:217)
                ... 37 more
                
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.



     

But when I am using same code from my foreground app I am able to access the web service without using any Certificate.

For using web service from my Background app I have to add below code snippet to add .bks certificate. Only then I am able to access the web service.

  try {
        KeyStore ksTrust = KeyStore.getInstance("BKS");
        InputStream instream = context.getResources().openRawResource(R.raw.mystore);
        ksTrust.load(instream, null);

        // TrustManager decides which certificate authorities to use.
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ksTrust);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, tmf.getTrustManagers(), null);
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

    } catch (KeyStoreException | IOException | NoSuchAlgorithmException | KeyManagementException e) {
        logOperation.logInfo(LogInfoEvent.GENERAL_INFO, String.format("Error in doTrustToCertificates::", e.getStackTrace()));
    }

SO It is that Android has done something with Background App to restrict them in using web api without apt certificate.