Preparing Apps with Android Nougat (7.0) and Above
Android apps for the Nougat OS (7.0) or higher need special configuration to allow them to trust ObservePoint's SSL certificate when using LiveConnect. Without this you will find unsuccessful status codes after connecting to the LiveConnect proxy and responses indicating that there is an unsuccessful SSL handshake due to the fact that the installed certificate is not trusted.
This security protocol protects your apps so that you have the ability to capture HTTPS traffic on Android devices using LiveConnect (or any other proxy solution) only for apps that you directly control.
Note: See Changes to Trusted Certificate Authorities for more context.
The setup however is easy, but will require you to add a Network Security Configuration File to your app and add a reference to this file in your app’s manifest. You then specify whether to grant trust across the entire app or only for connections to specific domains. Below is an example for trusting a custom Certificate Authority (CA), in addition to the system CAs.
- Download and Install the certificate (if you haven't already), instruction found in this help doc.
- When using LiveConnect for Android devices, connect to ObservePoint’s proxy server by setting up the SSL certificate (instructions here). In order to support this without modifying your app's code, use debug overrides and specify debug-only CAs, which are trusted only when android:debuggable is set to true.
Note: Normally, Integrated Development Environments (IDEs) and build tools set this flag automatically for non-release builds.
- You should specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
Note: For more details consult the Android Developers guide. This is safer than the usual conditional code because, as a security precaution, app stores do not accept Apps which are marked debuggable.
- Reference File in mobile App’s Manifest file
- The Network Security Configuration uses an XML file to define the settings for your app. You must include an entry in the manifest of your app that points to this file. The following code excerpt from a manifest demonstrates how to create this entry with an
applicationelement: set the attribute
android:networkSecurityConfig="@xml/network_security_configto <application> at Manifest.xml.
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig ="@xml/network_ security_config" ... > ... </application> </manifest> </xml>
Note: See this guide for more details.
- Create res/xml/network_security_config.xml with content:
<network-security-config> <debug-overrides> <trust-anchors> <!-- Trust user added CAs while debuggable only --> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig="@xml/network_security_config" ... > ... </application> </manifest>
Note: See More Info for more details.