Select to view content in your preferred language

Android network security configuration not working

4000
0
11-19-2019 09:49 AM
PlinioSantos
Regular Contributor

I'm developing an android app using ArcGIS Runtime SDK for Android 100.6.0 and it is getting a SSLHandshakeException since I updated my app to use a network security config.

The app do requests to two servers. One of them is a REST API in a develpment server accessible only in my company network. The other one is a public server running an ArcGIS Server. The ArcGIS Server's domain is able to communicate over TLS 1.2.

So, I expect everything to works just adding a rule to my private development server. This is the content of my network security config:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">172.17.1.14</domain>
    </domain-config>
</network-security-config>‍‍‍‍‍‍

Unfortunately, any requests to my ArcGIS Server (using ArcGIS Runtime SDK for Android) are resulting in the following exception:

Caused by: java.security.cert.CertificateException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
        at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:111)
        at com.esri.arcgisruntime.internal.e.a.a.checkServerTrusted(SourceFile:161)
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:212)
        at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
        at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)

Since my ArcGIS Server server has a valid certificate and is TLS 1.2 aware, it would not happen, right?

The following network security config works fine, but it is insecure:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

In addiction, I read that Facebook's Audience Network Android SDK also experienced issues with the network security configuration because they cache files at localhost. I've tried the same solution proposed by them but it also didn't work: https://developers.facebook.com/docs/audience-network/android-network-security-config/

What did I have done wrong? Does the Runtime SDK do intermediate requests like FB? Sniffing the android emulator network did not show up any requests other then expected.

0 Kudos
0 Replies