Preparing Apps with Android Nougat (7.0) and Above

Android apps for the Nougat OS (7.0) or higher need special configuration to allow them to trust ObservePoint's SSL certificate when using LiveConnect. This protects your apps so that you have the ability to capture HTTPS traffic on Android devices using LiveConnect (or any other proxy solution) only for apps that you directly control. See Changes to Trusted Certificate Authorities for more context.

The setup however is easy, but will require you to add a Network Security Configuration File to your app and add a reference to this file in your app’s manifest. You then specify whether to grant trust across the entire app or only for connections to specific domains. Below is an example for trusting a custom CA, in addition to the system CAs.

Step 1

  • Install downloaded .pem file
  • When using LiveConnect for Android devices, connect to ObservePoint’s proxy server by setting up the SSL certificate (instructions here). In order to support this without modifying your app's code, use debug overrides and specify debug-only CAs, which are trusted only when android:debuggable is set to true. Normally, IDEs and build tools set this flag automatically for non-release builds. For more details consult the Android Developers guide. This is safer than the usual conditional code because, as a security precaution, app stores do not accept Apps which are marked debuggable.

Step 2

  • Reference File in App’s Manifest
  • The Network Security Configuration uses an XML file to define the settings for your app. You must include an entry in the manifest of your app that points to this file. The following code excerpt from a manifest demonstrates how to create this entry with an application element: set the attribute android:networkSecurityConfig="@xml/network_security_config to <application> at Manifest.xml.
Example
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
   <application android:networkSecurityConfig ="@xml/network_
security_config" ... >
...
</application>
  </manifest>
</xml>

Step 3

    • Create res/xml/network_security_config.xml with content:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
  <trust-anchors>
<certificates src="system" />
<certificates src="user" />
   </trust-anchors>
 </base-config>
 <debug-overrides>
  <trust-anchors>
   <certificates src="user"/>
  </trust-anchors>
 </debug-overrides>
</network-security-config>
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.