I'm trying to add a network-security-config which restricts connections to servers signed by a set of CAs that I've bundled in the app (actually in a library used by the app). I have an existing setup that works where the CAs are loaded into the trust store. Now that I added a network-security-config and try to test it, it doesn't seem to work.
Here is what I tried to do:
AndroidManifest.xml:
<application
...
android:networkSecurityConfig="@xml/network_security_configuration"
...
network-security-configuration.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</debug-overrides>
</network-security-config>
What I would expect with this new config is that connections are not allowed to servers that are signed by self-signed CAs such as the ones I have bundled. But when I run the app the connections work fine, so the network-security-configuration does not seem to work...
What I ultimately would like to do is to add my CAs to the trust-anchors:
<certificates src="@raw/my_ca" />
My setup, App:
- Android App Gradle Plugin 7.0
- Targeting API 30
Library:
- Android App Gradle Plugin 7.0
- Targeting API 30
Phone:
- Samsung Galaxy S20
- Android 11 (=API 30)
Why is the network-security-configuration not applied?