I want to create two versions of my app:
- Debuggable by Charles
- Not debuggable by Charles (to prevent external users from tracing the traffic)
I already know that Nougat behaves differently, and in order to be make Nougat behave like Marshmallow and below I have to add the following xml (which is essentially the default behaviour for Marshmallow and below) -
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
and then I have to add the following to the "application" tag in the manifest -
android:networkSecurityConfig="@xml/network_security_config"
My problem begins here: I'm creating two flavors in my app. One with the above xml (which works fine on both versions), and one with the same xml, only <certificates src="user" />
is removed, which is supposed to not be debuggable in Charles, on both versions.
I cannot debug it on Nougat, but for some reason, it is debuggable by Charles on Marshmallow. Why is that? And how can I fix it?