Android Certificate Handling

Android's certificate handling varies by version and manufacturer. Modern Android versions (7.0+) implement Network Security Config, allowing app-specific certificate policies. System-wide CA installation requires root access on newer versions.

Android Network Security Config:

<!-- res/xml/network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Allow cleartext traffic for local development -->
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">10.0.2.2</domain>
    </domain-config>
    
    <!-- Pin certificates for production -->
    <domain-config>
        <domain includeSubdomains="true">api.example.com</domain>
        <pin-set expiration="2024-12-31">
            <pin digest="SHA-256">base64==</pin>
            <pin digest="SHA-256">backup64==</pin>
        </pin-set>
    </domain-config>
    
    <!-- Trust user-added CAs for debug builds -->
    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>