I am learning network security configuration in Android. Here is my configuration file
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">*.xx.com</domain>
<pin-set expiration="2031-05-01">
<!-- these two are certificates in *.xx.com certificate chains -->
<pin digest="SHA-256">8Rxjasdfk7jjlasdnP6sdkxnjkkqaGZfjnxkynxndA=</pin>
<pin digest="SHA-256">K0z9yJZklpaxAjkasxYjkLsUzxdUoewxj1z3z8lNgA=</pin>
</pin-set>
</domain-config>
</network-security-config>
When I use Charles to capture the network traffic, urls under *.xx.com still can be loaded normally. In my thoughts, configuration <pin-set> would make connection failed since the certificates from Charles can't pass the certificate pinning validation.
If I remove <certificates src="user"/>, the certificate pinning works and urls under *.xx.com can't be loaded. I doubt trusting user certificates make certificate pinning out of work. Do I make something wrong?
I made a mistake. The domain should be xx.com here not *.xx.com, while *.xx.com is used in OkHttp CertificatePinner.