Preparing Apps with Android Nougat (7.0) and Above
Android apps for the Nougat OS (7.0) or higher need special configuration to allow them to trust ObservePoint's SSL certificate when using LiveConnect. This protects your apps so that you have the ability to capture HTTPS traffic on Android devices using LiveConnect (or any other proxy solution) only for apps that you directly control. See Changes to Trusted Certificate Authorities for more context.
The setup however is easy, but will require you to add a Network Security Configuration File to your app and add a reference to this file in your app’s manifest. You then specify whether to grant trust across the entire app or only for connections to specific domains. Below is an example for trusting a custom CA, in addition to the system CAs.
- Install downloaded .pem file
- When using LiveConnect for Android devices, connect to ObservePoint’s proxy server by setting up the SSL certificate (instructions here). In order to support this without modifying your app's code, use debug overrides and specify debug-only CAs, which are trusted only when android:debuggable is set to true. Normally, IDEs and build tools set this flag automatically for non-release builds. You should specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
For more details consult the Android Developers guide. This is safer than the usual conditional code because, as a security precaution, app stores do not accept Apps which are marked debuggable.
- Reference File in App’s Manifest
- The Network Security Configuration uses an XML file to define the settings for your app. You must include an entry in the manifest of your app that points to this file. The following code excerpt from a manifest demonstrates how to create this entry with an
applicationelement: set the attribute
android:networkSecurityConfig="@xml/network_security_configto <application> at Manifest.xml.
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig ="@xml/network_ security_config" ... > ... </application> </manifest> </xml>
- Create res/xml/network_security_config.xml with content:
<network-security-config> <debug-overrides> <trust-anchors> <!-- Trust user added CAs while debuggable only --> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig="@xml/network_security_config" ... > ... </application> </manifest>