Network Security Configuration

2 min read Advanced Security Topics

Network Security Configuration

Android's Network Security Configuration allows apps to customize their network security settings in a declarative way.

<!-- res/xml/network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Default configuration for all connections -->
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    
    <!-- Pin certificates for specific domains -->
    <domain-config>
        <domain includeSubdomains="true">api.example.com</domain>
        <pin-set expiration="2025-01-01">
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- Backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
        </pin-set>
    </domain-config>
    
    <!-- Debug overrides for development -->
    <debug-overrides>
        <trust-anchors>
            <!-- Trust user-added CAs for debugging -->
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

Implementing Certificate Pinning with OkHttp:

// Network security implementation
import okhttp3.*
import okhttp3.CertificatePinner
import java.util.concurrent.TimeUnit

class SecureNetworkClient {
    
    private val certificatePinner = CertificatePinner.Builder()
        .add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
        .add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
        .build()
    
    private val client = OkHttpClient.Builder()
        .certificatePinner(certificatePinner)
        .connectTimeout(30, TimeUnit.SECONDS)
        .readTimeout(30, TimeUnit.SECONDS)
        .addInterceptor(SecurityInterceptor())
        .build()
    
    // Custom interceptor for additional security headers
    class SecurityInterceptor : Interceptor {
        override fun intercept(chain: Interceptor.Chain): Response {
            val originalRequest = chain.request()
            
            val newRequest = originalRequest.newBuilder()
                .header("X-Security-Token", generateSecurityToken())
                .header("X-Device-ID", getDeviceId())
                .build()
            
            return chain.proceed(newRequest)
        }
        
        private fun generateSecurityToken(): String {
            // Generate HMAC or similar token
            return "secure_token"
        }
    }
    
    fun makeSecureRequest(url: String): Response? {
        val request = Request.Builder()
            .url(url)
            .build()
        
        return try {
            client.newCall(request).execute()
        } catch (e: Exception) {
            // Handle certificate pinning failure
            null
        }
    }
}