Android app is debuggable on Charles when not supposed to be (Nougat vs Marshmallow)

255 views Asked by At

I want to create two versions of my app:

  1. Debuggable by Charles
  2. Not debuggable by Charles (to prevent external users from tracing the traffic)

I already know that Nougat behaves differently, and in order to be make Nougat behave like Marshmallow and below I have to add the following xml (which is essentially the default behaviour for Marshmallow and below) -

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
      <trust-anchors>
         <certificates src="system" />
         <certificates src="user" />
      </trust-anchors>
   </base-config>
</network-security-config>

and then I have to add the following to the "application" tag in the manifest -

android:networkSecurityConfig="@xml/network_security_config"

My problem begins here: I'm creating two flavors in my app. One with the above xml (which works fine on both versions), and one with the same xml, only <certificates src="user" /> is removed, which is supposed to not be debuggable in Charles, on both versions.

I cannot debug it on Nougat, but for some reason, it is debuggable by Charles on Marshmallow. Why is that? And how can I fix it?

0

There are 0 answers