1 page.title= 2 page.keywords=androidn,security,network 3 page.image=images/cards/card-nyc_2x.jpg 4 5 @jd:body 6 7 <div id="tb-wrapper"> 8 <div id="tb"> 9 10 <h2></h2> 11 <ol> 12 <li><a href="#manifest"></a></li> 13 <li><a href="#CustomTrust"> CA </a> 14 <ol> 15 <li><a href="#ConfigCustom"> CA </a></li> 16 <li><a href="#LimitingCas"> CA </a></li> 17 <li><a href="#TrustingAdditionalCas"> CA </a></li> 18 </ol> 19 </li> 20 <li><a href="#TrustingDebugCa"> CA</a></li> 21 <li><a href="#UsesCleartextTraffic"> </a></li> 22 <li><a href="#CertificatePinning"></a></li> 23 <li><a href="#ConfigInheritance"></a></li> 24 <li><a href="#FileFormat"></a></li> 25 </ol> 26 </div> 27 </div> 28 29 30 <p> 31 Android N 32 33 34 35 36 </p> 37 38 <ul> 39 <li> 40 <b> :</b>CA 41 CA 42 43 44 </li> 45 46 <li> 47 <b>:</b> 48 49 </li> 50 51 <li> 52 <b> :</b> 53 54 </li> 55 56 <li> 57 <b>:</b> 58 59 </li> 60 </ul> 61 62 63 <h2 id="manifest"></h2> 64 65 <p> 66 XML 67 68 69 70 </p> 71 72 <pre> 73 <?xml version="1.0" encoding="utf-8"?> 74 <manifest ... > 75 <application ... > 76 <meta-data android:name="android.security.net.config" 77 android:resource="@xml/network_security_config" /> 78 ... 79 </application> 80 </manifest> 81 </pre> 82 83 <h2 id="CustomTrust"> CA </h2> 84 85 <p> 86 CA 87 88 </p> 89 90 <ul> 91 <li> CA 92 93 </li> 94 95 <li> CA CA 96 97 </li> 98 99 <li> CA 100 </li> 101 </ul> 102 103 <p> 104 TLSHTTPS CA API 23Android M CA 105 106 {@code base-config} {@code domain-config} 107 108 109 110 </p> 111 112 113 <h3 id="ConfigCustom"> CA </h3> 114 115 <p> 116 SSL CA CA SSL 117 118 119 </p> 120 121 <p> 122 <code>res/xml/network_security_config.xml</code>: 123 <pre> 124 <?xml version="1.0" encoding="utf-8"?> 125 <network-security-config> 126 <domain-config> 127 <domain includeSubdomains="true">example.com</domain> 128 <trust-anchors> 129 <certificates src="@raw/my_ca"/> 130 </trust-anchors> 131 </domain-config> 132 </network-security-config> 133 </pre> 134 </p> 135 136 <p> 137 PEM DER CA 138 {@code res/raw/my_ca} 139 </p> 140 141 142 <h3 id="LimitingCas"> CA </h3> 143 144 <p> 145 CA CA 146 CA 147 148 </p> 149 150 <p> 151 CA <a href="#TrustingACustomCa"> CA </a> CA 152 153 </p> 154 155 <p> 156 <code>res/xml/network_security_config.xml</code>: 157 <pre> 158 <?xml version="1.0" encoding="utf-8"?> 159 <network-security-config> 160 <domain-config> 161 <domain includeSubdomains="true">secure.example.com</domain> 162 <domain includeSubdomains="true">cdn.example.com</domain> 163 <trust-anchors> 164 <certificates src="@raw/trusted_roots"/> 165 </trust-anchors> 166 </domain-config> 167 </network-security-config> 168 </pre> 169 </p> 170 171 <p> 172 PEM DER CA {@code res/raw/trusted_roots} 173 PEM PEM <em></em> 174 1 175 <a href="#certificates"><code><certificates></code></a> 176 177 </p> 178 179 180 <h3 id="TrustingAdditionalCas"> 181 CA 182 </h3> 183 184 <p> 185 CA CA CA Android 186 187 CA 188 189 190 </p> 191 <p> 192 <code>res/xml/network_security_config.xml</code>: 193 <pre> 194 <?xml version="1.0" encoding="utf-8"?> 195 <network-security-config> 196 <base-config> 197 <trust-anchors> 198 <certificates src="@raw/extracas"/> 199 <certificates src="system"/> 200 </trust-anchors> 201 </base-config> 202 </network-security-config> 203 </pre> 204 </p> 205 206 207 <h2 id="TrustingDebugCa"> CA </h2> 208 209 <p> 210 HTTPS SSL 211 212 213 214 <i></i> {@code debug-overrides} <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> {@code true} CA 215 216 IDE 217 218 </p> 219 220 <p> 221 debuggable 222 223 224 </p> 225 226 <p> 227 <code>res/xml/network_security_config.xml</code>: 228 <pre> 229 <?xml version="1.0" encoding="utf-8"?> 230 <network-security-config> 231 <debug-overrides> 232 <trust-anchors> 233 <certificates src="@raw/debug_cas"/> 234 </trust-anchors> 235 </debug-overrides> 236 </network-security-config> 237 </pre> 238 </p> 239 240 241 <h2 id="UsesCleartextTraffic"> </h2> 242 243 <p> 244 HTTPS HTTP 245 246 URL 247 248 249 {@link android.security.NetworkSecurityPolicy#isCleartextTrafficPermitted 250 NetworkSecurityPolicy.isCleartextTrafficPermitted()} 251 </p> 252 253 <p> 254 {@code 255 secure.example.com} HTTPS 256 257 </p> 258 259 <p> 260 <code>res/xml/network_security_config.xml</code>: 261 <pre> 262 <?xml version="1.0" encoding="utf-8"?> 263 <network-security-config> 264 <domain-config usesCleartextTraffic="false"> 265 <domain includeSubdomains="true">secure.example.com</domain> 266 </domain-config> 267 </network-security-config> 268 </pre> 269 </p> 270 271 272 <h2 id="CertificatePinning"></h2> 273 274 <p> 275 CA CA MiTM 276 277 CA 278 279 </p> 280 281 <p> 282 X.509 SubjectPublicKeyInfo 283 1 284 285 286 </p> 287 288 <p> 289 CA CA CA 290 291 292 293 294 </p> 295 296 <p> 297 298 299 300 301 </p> 302 303 <p> 304 <code>res/xml/network_security_config.xml</code>: 305 <pre> 306 <?xml version="1.0" encoding="utf-8"?> 307 <network-security-config> 308 <domain-config> 309 <domain includeSubdomains="true">example.com</domain> 310 <pin-set expiration="2018-01-01"> 311 <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin> 312 <!-- backup pin --> 313 <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin> 314 </pin-set> 315 </domain-config> 316 </network-security-config> 317 </pre> 318 </p> 319 320 321 <h2 id="ConfigInheritance"></h2> 322 323 <p> 324 325 326 </p> 327 328 <p> 329 330 {@code domain-config} {@code domain-config} {@code 331 base-config} 332 {@code base-config} 333 334 </p> 335 336 <p> 337 {@code 338 example.com} CA {@code 339 secure.example.com} <em></em> 340 {@code example.com} {@code 341 secure.example.com} 342 {@code trust-anchors} 343 </p> 344 345 <p> 346 <code>res/xml/network_security_config.xml</code>: 347 <pre> 348 <?xml version="1.0" encoding="utf-8"?> 349 <network-security-config> 350 <domain-config> 351 <domain includeSubdomains="true">example.com</domain> 352 <trust-anchors> 353 <certificates src="@raw/my_ca"/> 354 </trust-anchors> 355 <domain-config cleartextTrafficPermitted="false"> 356 <domain includeSubdomains="true">secure.example.com</domain> 357 </domain-config> 358 </domain-config> 359 </network-security-config> 360 </pre> 361 </p> 362 363 364 <h2 id="FileFormat"></h2> 365 366 <p> 367 XML 368 369 </p> 370 371 <pre> 372 <?xml version="1.0" encoding="utf-8"?> 373 <network-security-config> 374 <base-config> 375 <trust-anchors> 376 <certificates src="..."/> 377 ... 378 </trust-anchors> 379 </base-config> 380 381 <domain-config> 382 <domain>android.com</domain> 383 ... 384 <trust-anchors> 385 <certificates src="..."/> 386 ... 387 </trust-anchors> 388 <pin-set> 389 <pin digest="...">...</pin> 390 ... 391 </pin-set> 392 </domain-config> 393 ... 394 <debug-overrides> 395 <trust-anchors> 396 <certificates src="..."/> 397 ... 398 </trust-anchors> 399 </debug-overrides> 400 </network-security-config> 401 </pre> 402 403 <p> 404 405 406 </p> 407 408 <h3 id="network-security-config"> 409 <network-security-config> 410 </h3> 411 412 <dl class="xml"> 413 <dt> 414 : 415 </dt> 416 417 <dd> 418 0 1 <code><a href="#base-config"><base-config></a></code><br> 419 <code><a href= 420 "#domain-config"><domain-config></a></code><br> 421 0 1 <code><a href="#debug-overrides"><debug-overrides></a></code> 422 </dd> 423 </dl> 424 425 <h3 id="base-config"> 426 <base-config> 427 </h3> 428 429 <dl class="xml"> 430 <dt> 431 : 432 </dt> 433 </dl> 434 435 <pre class="stx"> 436 <base-config <a href= 437 "#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]> 438 ... 439 </base-config> 440 </pre> 441 <dl class="xml"> 442 <dt> 443 : 444 </dt> 445 446 <dd> 447 <code><a href="#trust-anchors"><trust-anchors></a></code> 448 </dd> 449 450 <dt> 451 : 452 </dt> 453 454 <dd> 455 <a href="#domain-config"><code>domain-config</code></a> 456 457 458 <p> 459 API 24 460 461 </p> 462 463 <pre> 464 <base-config usesCleartextTraffic="true"> 465 <trust-anchors> 466 <certificates src="system" /> 467 </trust-anchors> 468 </base-config> 469 </pre> 470 API 23 471 <pre> 472 <base-config usesCleartextTraffic="true"> 473 <trust-anchors> 474 <certificates src="system" /> 475 <certificates src="user" /> 476 </trust-anchors> 477 </base-config> 478 </pre> 479 480 </dd> 481 </dl> 482 483 <h3 id="domain-config"><domain-config></h3> 484 <dl class="xml"> 485 <dt>:</dt> 486 <dd> 487 <pre class="stx"><domain-config <a href="#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]> 488 ... 489 </domain-config></pre> 490 </dd> 491 492 <dt>:</dt> 493 494 <dd> 495 1 <code><a href="#domain"><domain></a></code> 496 <br/>0 1 <code><a href="#trust-anchors"><trust-anchors></a></code> 497 <br/>0 1 <code><a href="#pin-set"><pin-set></code></a> 498 <br/> <code><domain-config></code></dd> 499 500 <dt></dt> 501 <dd>{@code domain} 502 503 <p> {@code domain-config} 504 </p></dd> 505 </dl> 506 507 508 <h3 id="domain"><domain></h3> 509 510 <dl class="xml"> 511 <dt> 512 : 513 </dt> 514 515 <dd> 516 <pre class="stx"> 517 <domain includeSubdomains=["true" | "false"]>example.com</domain> 518 </pre> 519 </dd> 520 521 <dt> 522 : 523 </dt> 524 525 <dd> 526 <dl class="attr"> 527 <dt> 528 {@code includeSubdomains} 529 </dt> 530 531 <dd> 532 {@code "true"} 533 534 535 </dd> 536 </dl> 537 </dd> 538 539 <dt> 540 : 541 </dt> 542 </dl> 543 544 <h3 id="debug-overrides"><debug-overrides></h3> 545 546 <dl class="xml"> 547 <dt> 548 : 549 </dt> 550 551 <dd> 552 <pre class="stx"> 553 <debug-overrides> 554 ... 555 </debug-overrides> 556 </pre> 557 </dd> 558 559 <dt> 560 : 561 </dt> 562 563 <dd> 564 0 1 <code><a href="#trust-anchors"><trust-anchors></a></code> 565 </dd> 566 567 <dt> 568 : 569 </dt> 570 571 <dd> 572 <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> {@code "true"} IDE 573 574 {@code 575 debug-overrides} 576 577 <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> {@code "false"} 578 579 </dd> 580 </dl> 581 582 <h3 id="trust-anchors"><trust-anchors></h3> 583 <dl class="xml"> 584 <dt> 585 : 586 </dt> 587 588 <dd> 589 <pre class="stx"> 590 <trust-anchors> 591 ... 592 </trust-anchors> 593 </pre> 594 </dd> 595 596 <dt> 597 : 598 </dt> 599 600 <dd> 601 <code><a href="#certificates"><certificates></a></code> 602 </dd> 603 604 <dt> 605 : 606 </dt> 607 608 <dd> 609 610 </dd> 611 </dl> 612 613 614 <h3 id="certificates"><certificates></h3> 615 <dl class="xml"> 616 <dt>:</dt> 617 <dd><pre class="stx"><certificates src=["system" | "user" | "<i>raw resource</i>"] 618 overridePins=["true" | "false"] /> 619 </pre></dd> 620 <dt>:</dt> 621 <dd>{@code trust-anchors} X.509 </dd> 622 623 <dt>:</dt> 624 <dd><dl class="attr"> 625 <dt>{@code src}</dt> 626 <dd> 627 CA 628 <ul> 629 <li>X.509 ID 630 DER PEM PEM PEM 631 <em></em> 632 633 </li> 634 635 <li>{@code "system"}: CA 636 </li> 637 638 <li>{@code "user"}: CA 639 </li> 640 </ul> 641 </dd> 642 643 <dt>{@code overridePins}</dt> 644 <dd> 645 <p> 646 CA {@code 647 "true"} CA 648 CA MiTM 649 650 </p> 651 652 <p> 653 {@code "false"} {@code debug-overrides} {@code "true"} 654 655 </p> 656 </dd> 657 </dl> 658 </dd> 659 660 661 <h3 id="pin-set"><pin-set></h3> 662 663 <dl class="xml"> 664 <dt> 665 : 666 </dt> 667 668 <dd> 669 <pre class="stx"> 670 <pin-set expiration="date"> 671 ... 672 </pin-set> 673 </pre> 674 </dd> 675 676 <dt> 677 : 678 </dt> 679 680 <dd> 681 <code><a href="#pin"><pin></a></code> 682 </dd> 683 684 <dt> 685 : 686 </dt> 687 688 <dd> 689 690 691 <code><a href="#pin"><pin></a></code> 692 </dd> 693 694 <dt> 695 : 696 </dt> 697 698 <dd> 699 <dl class="attr"> 700 <dt> 701 {@code expiration} 702 </dt> 703 704 <dd> 705 {@code yyyy-MM-dd} 706 707 708 <p> 709 710 711 712 </p> 713 </dd> 714 </dl> 715 </dd> 716 </dl> 717 718 <h3 id="pin"><pin></h3> 719 <dl class="xml"> 720 <dt> 721 : 722 </dt> 723 724 <dd> 725 <pre class="stx"> 726 <pin digest=["SHA-256"]>base64 encoded digest of X.509 727 SubjectPublicKeyInfo (SPKI)</pin> 728 </pre> 729 </dd> 730 731 <dt> 732 : 733 </dt> 734 735 <dd> 736 <dl class="attr"> 737 <dt> 738 {@code digest} 739 </dt> 740 741 <dd> 742 PIN 743 {@code "SHA-256"} 744 </dd> 745 </dl> 746 </dd> 747 </dl> 748
