Backporting Android N Network Security Configuration
The N Developer Preview gave us the network security configuration feature. This makes it rather easy to:
- Use self-signed certificates for your HTTPS requests, such as for
- Supporting unusual certificate authorities, ones that Android itself lacks support for
- Limiting HTTPS requests to a specific authority, such as tying requests to your server to an authority that you use, to help reduce the odds that someone will be able to generate fraudlent certificates and implement a Martian-in-the-middle (MITM) attack
- Going one step further and pinning your HTTPS requests to a specific certificate
- And so on
The v24 edition of the Android Support Library does not appear to contain a backport of network security configuration. With luck, someday, it will have one.
In the meantime, though, I backported it myself.
The CWAC-NetSecurity library is the home of this backport. It uses the NDP4 code from the AOSP for the network security configuration implementation, with minor adjustments to get it to build going back to API Level 17 (Android 4.2). Adding it to your project is a matter of:
- Getting the native network security configuration working on an Android N test environment
- Adding the CWAC-NetSecurity library to your project
- Adding a few lines of code to configure OkHttp3 or
HttpURLConnectionto apply the network security configuration rules
Along the way, I added a few more options, such as the ability to choose the configuration to use on the fly, rather than have to use the one defined in the manifest, as the native implementation requires.
CWAC-NetSecurity is optimized for use with OkHttp3. Some network security
configuration features are available to
there are instructions for building bridges to other HTTP client APIs.
Or, use the backport directly,
TrustManagerBuilder had resided in
the CWAC-Security library.
I moved it into CWAC-NetSecurity, deprecating the version in CWAC-Security.
Until Android N transmogrifies into a nougat-flavored Android 7.0,
CWAC-NetSecurity is in a pre-release state. I will upgrade CWAC-NetSecurity to
use newer AOSP code as it is released, such as when the AOSP code for
Android 7.0 ships. A table in the project
tracks library versions and corresponding AOSP code bases
Bug reports are welcome, if I can reproduce the bugs. :-)
Want an expert opinion on your Android app architecture decisions? Perhaps Mark Murphy can help!