Home | History | Annotate | Download | only in articles 
      1 page.title=  
      2 page.keywords=androidn,security,network
      3 page.image=images/cards/card-nyc_2x.jpg
      4 
      5 @jd:body
      6 
      7 <div id="tb-wrapper">
      8 <div id="tb">
      9 
     10 <h2> </h2>
     11 <ol>
     12   <li><a href="#manifest">   </a></li>
     13   <li><a href="#CustomTrust">  </a>
     14       <ol>
     15       <li><a href="#ConfigCustom">   </a></li>
     16       <li><a href="#LimitingCas">   </a></li>
     17       <li><a href="#TrustingAdditionalCas">    </a></li>
     18       </ol>
     19   </li>
     20   <li><a href="#TrustingDebugCa">  </a></li>
     21   <li><a href="#UsesCleartextTraffic">     </a></li>
     22   <li><a href="#CertificatePinning"> </a></li>
     23   <li><a href="#ConfigInheritance">   </a></li>
     24   <li><a href="#FileFormat">  </a></li>
     25 </ol>
     26 </div>
     27 </div>
     28 
     29 
     30 <p>
     31    Android N   "  ",
     32          
     33         .   
     34       . 
     35    :
     36 </p>
     37 
     38 <ul>
     39   <li>
     40     <b>  .</b>     ()
     41     .   
     42        
     43    ,   .
     44   </li>
     45 
     46   <li>
     47     <b>  .</b>     
     48       .
     49   </li>
     50 
     51   <li>
     52     <b>     .</b>   
     53      .
     54   </li>
     55 
     56   <li>
     57     <b> .</b>    
     58   .
     59   </li>
     60 </ul>
     61 
     62 
     63 <h2 id="manifest">   </h2>
     64 
     65 <p>
     66         XML,    
     67    .       
     68  ,    .      
     69  ,    :
     70 </p>
     71 
     72 <pre>
     73 &lt;?xml version="1.0" encoding="utf-8"?&gt;
     74 ...
     75 &lt;app ...&gt;
     76     &lt;meta-data android:name="android.security.net.config"
     77                android:resource="@xml/network_security_config" /&gt;
     78     ...
     79 &lt;/app&gt;
     80 </pre>
     81 
     82 <h2 id="CustomTrust">  </h2>
     83 
     84 <p>
     85            ()    ,   .
     86    :
     87 </p>
     88 
     89 <ul>
     90   <li>      (,
     91      ..)
     92   </li>
     93 
     94   <li>     
     95  .
     96   </li>
     97 
     98   <li>  ,    ,   .
     99   </li>
    100 </ul>
    101 
    102 <p>
    103         (, TLS, HTTPS) 
    104     ,    API  23
    105  (Android M)       ,  . 
    106     ,  {@code base-config} (
    107     )  {@code domain-config} (   
    108  ).
    109 </p>
    110 
    111 
    112 <h3 id="ConfigCustom">  </h3>
    113 
    114 <p>
    115   ,      ,    SSL,
    116    ,   SSL    ,
    117    ,     .
    118 </p>
    119 
    120 <p>
    121   <code>res/xml/network_security_config.xml</code>:
    122 <pre>
    123 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    124 &lt;network-security-config&gt;
    125     &lt;domain-config&gt;
    126         &lt;domain includeSubdomains="true"&gt;example.com&lt;/domain&gt;
    127         &lt;trust-anchors&gt;
    128             &lt;certificates src="@raw/my_ca"/&gt;
    129         &lt;/trust-anchors&gt;
    130     &lt;/domain-config&gt;
    131 &lt;/network-security-config&gt;
    132 </pre>
    133 </p>
    134 
    135 <p>
    136            PEM  DER 
    137  {@code res/raw/my_ca}.
    138 </p>
    139 
    140 
    141 <h3 id="LimitingCas">   </h3>
    142 
    143 <p>
    144         ,   ,  
    145       .   
    146     ,    .
    147 </p>
    148 
    149 <p>
    150          <a href="#TrustingACustomCa">   </a>   ,   ,
    151       .
    152 </p>
    153 
    154 <p>
    155 <code>res/xml/network_security_config.xml</code>:
    156 <pre>
    157 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    158 &lt;network-security-config&gt;
    159     &lt;domain-config&gt;
    160         &lt;domain includeSubdomains="true"&gt;secure.example.com&lt;/domain&gt;
    161         &lt;domain includeSubdomains="true"&gt;cdn.example.com&lt;/domain&gt;
    162         &lt;trust-anchors&gt;
    163             &lt;certificates src="@raw/trusted_roots"/&gt;
    164         &lt;/trust-anchors&gt;
    165     &lt;/domain-config&gt;
    166 &lt;/network-security-config&gt;
    167 </pre>
    168 </p>
    169 
    170 <p>
    171         PEM  DER  {@code res/raw/trusted_roots}.
    172    ,     PEM   <em></em>  PEM
    173   -  .      
    174  <a href="#certificates"><code>&lt;certificates&gt;</code></a>
    175  .
    176 </p>
    177 
    178 
    179 <h3 id="TrustingAdditionalCas">
    180       
    181 </h3>
    182 
    183 <p>
    184        ,        .
    185       ,         
    186         Android. 
    187       ,     
    188  .
    189 </p>
    190 <p>
    191 <code>res/xml/network_security_config.xml</code>:
    192 <pre>
    193 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    194 &lt;network-security-config&gt;
    195     &lt;base-config&gt;
    196         &lt;trust-anchors&gt;
    197             &lt;certificates src="@raw/extracas"/&gt;
    198             &lt;certificates src="system"/&gt;
    199         &lt;/trust-anchors&gt;
    200     &lt;/base-config&gt;
    201 &lt;/network-security-config&gt;
    202 </pre>
    203 </p>
    204 
    205 
    206 <h2 id="TrustingDebugCa">    </h2>
    207 
    208 <p>
    209     ,      HTTPS,   
    210      ,     SSL
    211    .      
    212  ,      ,
    213      , <i></i>    <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">
    214 android:debuggable</a>
    215    {@code true}   {@code debug-overrides}.     
    216         ,   .
    217 </p>
    218 
    219 <p>
    220       ,     ,   
    221        , 
    222     .
    223 </p>
    224 
    225 <p>
    226 <code>res/xml/network_security_config.xml</code>:
    227 <pre>
    228 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    229 &lt;network-security-config&gt;
    230     &lt;debug-overrides&gt;
    231         &lt;trust-anchors&gt;
    232             &lt;certificates src="@raw/debug_cas"/&gt;
    233         &lt;/trust-anchors&gt;
    234     &lt;/debug-overrides&gt;
    235 &lt;/network-security-config&gt;
    236 </pre>
    237 </p>
    238 
    239 
    240 <h2 id="UsesCleartextTraffic">     </h2>
    241 
    242 <p>
    243   ,         ,
    244          (    HTTP
    245   HTTPS)   .    
    246     ,    URL-,  
    247  , ,  .
    248          {@link android.security.NetworkSecurityPolicy#isCleartextTrafficPermitted
    249   NetworkSecurityPolicy.isCleartextTrafficPermitted()}.
    250 </p>
    251 
    252 <p>
    253   ,       HTTPS     {@code
    254   secure.example.com},    
    255    .
    256 </p>
    257 
    258 <p>
    259 <code>res/xml/network_security_config.xml</code>:
    260 <pre>
    261 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    262 &lt;network-security-config&gt;
    263     &lt;domain-config usesCleartextTraffic="false"&gt;
    264         &lt;domain includeSubdomains="true"&gt;secure.example.com&lt;/domain&gt;
    265     &lt;/domain-config&gt;
    266 &lt;/network-security-config&gt;
    267 </pre>
    268 </p>
    269 
    270 
    271 <h2 id="CertificatePinning"> </h2>
    272 
    273 <p>
    274        .      
    275   ,       .
    276        
    277      ,   .
    278 </p>
    279 
    280 <p>
    281           
    282    (SubjectPublicKeyInfo  X.509).    
    283    ,       
    284    .
    285 </p>
    286 
    287 <p>
    288          
    289  ,               (
    290        ).
    291            
    292   .
    293 </p>
    294 
    295 <p>
    296    ,     ,   
    297    .      
    298  ,    .    
    299      .
    300 </p>
    301 
    302 <p>
    303 <code>res/xml/network_security_config.xml</code>:
    304 <pre>
    305 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    306 &lt;network-security-config&gt;
    307     &lt;domain-config&gt;
    308         &lt;domain includeSubdomains="true"&gt;example.com&lt;/domain&gt;
    309         &lt;pin-set expiration="2018-01-01"&gt;
    310             &lt;pin digest="SHA-256"&gt;7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=&lt;/pin&gt;
    311             &lt;!-- backup pin --&gt
    312             &lt;pin digest="SHA-256"&gt;fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=&lt;/pin&gt;
    313     &lt;/domain-config&gt;
    314 &lt;/network-security-config&gt;
    315 </pre>
    316 </p>
    317 
    318 
    319 <h2 id="ConfigInheritance">   </h2>
    320 
    321 <p>
    322   ,     , .     
    323   ,        .
    324 </p>
    325 
    326 <p>
    327         ,       .
    328  ,    {@code domain-config},
    329      {@code domain-config}       {@code
    330   base-config}   .  ,    {@code base-config}, 
    331      .
    332 </p>
    333 
    334 <p>
    335    ,        {@code
    336   example.com}     .  ,    
    337     , <em></em>    {@code
    338   secure.example.com}.    {@code
    339   secure.example.com}   {@code example.com}   
    340   {@code trust-anchors}.
    341 </p>
    342 
    343 <p>
    344 <code>res/xml/network_security_config.xml</code>:
    345 <pre>
    346 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    347 &lt;network-security-config&gt;
    348     &lt;domain-config&gt;
    349         &lt;domain includeSubdomains="true"&gt;example.com&lt;/domain&gt;
    350         &lt;trust-anchors&gt;
    351             &lt;certificates src="@raw/my_ca"/&gt;
    352         &lt;/trust-anchors&gt;
    353         &lt;domain-config cleartextTrafficPermitted="false"&gt;
    354             &lt;domain includeSubdomains="true"&gt;secure.example.com&lt;/domain&gt;
    355         &lt;/domain-config&gt;
    356     &lt;/domain-config&gt;
    357 &lt;/network-security-config&gt;
    358 </pre>
    359 </p>
    360 
    361 
    362 <h2 id="FileFormat">  </h2>
    363 
    364 <p>
    365          XML.
    366          :
    367 </p>
    368 
    369 <pre>
    370 &lt;?xml version="1.0" encoding="utf-8"?&gt;
    371 &lt;network-security-config&gt;
    372     &lt;base-config&gt;
    373         &lt;trust-anchors&gt;
    374             &lt;certificates src="..."/&gt;
    375             ...
    376         &lt;/trust-anchors&gt;
    377     &lt;/base-config&gt;
    378 
    379     &lt;domain-config&gt;
    380         &lt;domain&gt;android.com&lt;/domain&gt;
    381         ...
    382         &lt;trust-anchors&gt;
    383             &lt;certificates src="..."/&gt;
    384             ...
    385         &lt;/trust-anchors&gt;
    386         &lt;pin-set&gt;
    387             &lt;pin digest="..."&gt;...&lt;/pin&gt;
    388             ...
    389         &lt;/pin-set&gt;
    390     &lt;/domain-config&gt;
    391     ...
    392     &lt;debug-overrides&gt;
    393         &lt;trust-anchors&gt;
    394             &lt;certificates src="..."/&gt;
    395             ...
    396         &lt;/trust-anchors&gt;
    397     &lt;/debug-overrides&gt;
    398 &lt;/network-security-config&gt;
    399 </pre>
    400 
    401 <p>
    402            
    403  .
    404 </p>
    405 
    406 <h3 id="network-security-config">
    407   &lt;network-security-config&gt;
    408 </h3>
    409 
    410 <dl class="xml">
    411   <dt>
    412      :
    413   </dt>
    414 
    415   <dd>
    416     0  1 <code><a href="#base-config">&lt;base-config&gt;</a></code><br>
    417       <code><a href=
    418     "#domain-config">&lt;domain-config&gt;</a></code><br>
    419     0  1 <code><a href="#debug-overrides">&lt;debug-overrides&gt;</a></code>
    420   </dd>
    421 </dl>
    422 
    423 <h3 id="base-config">
    424   &lt;base-config&gt;
    425 </h3>
    426 
    427 <dl class="xml">
    428   <dt>
    429     :
    430   </dt>
    431 </dl>
    432 
    433 <pre class="stx">
    434 &lt;base-config <a href=
    435 "#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]&gt;
    436     ...
    437 &lt;/base-config&gt;
    438 </pre>
    439 <dl class="xml">
    440   <dt>
    441      :
    442   </dt>
    443 
    444   <dd>
    445     <code><a href="#trust-anchors">&lt;trust-anchors&gt;</a></code>
    446   </dd>
    447 
    448   <dt>
    449     :
    450   </dt>
    451 
    452   <dd>
    453       ,     ,    <a href="#domain-config"><code>domain-config</code></a>.
    454 
    455 
    456 <p>
    457      ,      .   
    458   ,  API  24  :
    459 </p>
    460 
    461 <pre>
    462 &lt;base-config usesCleartextTraffic="true"&gt;
    463     &lt;trust-anchors&gt;
    464         &lt;certificates src="system" /&gt;
    465     &lt;/trust-anchors&gt;
    466 &lt;/base-config&gt;
    467 </pre>
    468      ,  API  23  :
    469 <pre>
    470 &lt;base-config usesCleartextTraffic="true"&gt;
    471     &lt;trust-anchors&gt;
    472         &lt;certificates src="system" /&gt;
    473         &lt;certificates src="user" /&gt;
    474     &lt;/trust-anchors&gt;
    475 &lt;/base-config&gt;
    476 </pre>
    477 
    478   </dd>
    479 </dl>
    480 
    481 <h3 id="domain-config">&lt;domain-config&gt;</h3>
    482 <dl class="xml">
    483 <dt>:</dt>
    484 <dd>
    485 <pre class="stx">&lt;domain-config <a href="#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]&gt;
    486     ...
    487 &lt;/domain-config&gt;</pre>
    488 </dd>
    489 
    490 <dt> :</dt>
    491 
    492 <dd>
    493 1   <code><a href="#domain">&lt;domain&gt;</a></code>
    494 <br/>0  1 <code><a href="#trust-anchors">&lt;trust-anchors&gt;</a></code>
    495 <br/>0  1 <code><a href="#pin-set">&lt;pin-set&gt;</code></a>
    496 <br/>   <code>&lt;domain-config&gt;</code></dd>
    497 
    498 <dt></dt>
    499 <dd>,      ,   {@code domain}.
    500 
    501 <p>       {@code domain-config},      ( )  .
    502 </p></dd>
    503 </dl>
    504 
    505 
    506 <h3 id="domain">&lt;domain&gt;</h3>
    507 
    508 <dl class="xml">
    509   <dt>
    510     :
    511   </dt>
    512 
    513   <dd>
    514     <pre class="stx">
    515 &lt;domain includeSubdomains=["true" | "false"]&gt;example.com&lt;/domain&gt;
    516 </pre>
    517   </dd>
    518 
    519   <dt>
    520     :
    521   </dt>
    522 
    523   <dd>
    524     <dl class="attr">
    525       <dt>
    526         {@code includeSubdomains}
    527       </dt>
    528 
    529       <dd>
    530            {@code "true"},          
    531   .     
    532     .
    533       </dd>
    534     </dl>
    535   </dd>
    536 
    537   <dt>
    538     :
    539   </dt>
    540 </dl>
    541 
    542 <h3 id="debug-overrides">&lt;debug-overrides&gt;</h3>
    543 
    544 <dl class="xml">
    545   <dt>
    546     :
    547   </dt>
    548 
    549   <dd>
    550     <pre class="stx">
    551 &lt;debug-overrides&gt;
    552     ...
    553 &lt;/debug-overrides&gt;
    554 </pre>
    555   </dd>
    556 
    557   <dt>
    558      :
    559   </dt>
    560 
    561   <dd>
    562     0  1 <code><a href="#trust-anchors">&lt;trust-anchors&gt;</a></code>
    563   </dd>
    564 
    565   <dt>
    566     :
    567   </dt>
    568 
    569   <dd>
    570      ,   <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a>
    571    {@code "true"},      ,
    572       .  ,   {@code
    573     debug-overrides},     ,  
    574    ,        
    575   ,    .   <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a>
    576    {@code "false"},    .
    577   </dd>
    578 </dl>
    579 
    580 <h3 id="trust-anchors">&lt;trust-anchors&gt;</h3>
    581 <dl class="xml">
    582   <dt>
    583     :
    584   </dt>
    585 
    586   <dd>
    587     <pre class="stx">
    588 &lt;trust-anchors&gt;
    589 ...
    590 &lt;/trust-anchors&gt;
    591 </pre>
    592   </dd>
    593 
    594   <dt>
    595      :
    596   </dt>
    597 
    598   <dd>
    599       <code><a href="#certificates">&lt;certificates&gt;</a></code>
    600   </dd>
    601 
    602   <dt>
    603     :
    604   </dt>
    605 
    606   <dd>
    607          .
    608   </dd>
    609 </dl>
    610 
    611 
    612 <h3 id="certificates">&lt;certificates&gt;</h3>
    613 <dl class="xml">
    614 <dt>:</dt>
    615 <dd><pre class="stx">&lt;certificates src=["system" | "user" | "<i>raw resource</i>"]
    616               overridePins=["true" | "false"] /&gt;
    617 </pre></dd>
    618 <dt>:</dt>
    619 <dd>  X.509   {@code trust-anchors}.</dd>
    620 
    621 <dt>:</dt>
    622 <dd><dl class="attr">
    623 <dt>{@code src}</dt>
    624 <dd>
    625      
    626 <ul>
    627   <li>  ,      X.509.
    628         DER  PEM.    PEM
    629   <em> </em>  ,   PEM, ,
    630  .
    631   </li>
    632 
    633   <li>{@code "system"}      
    634   </li>
    635 
    636   <li>{@code "user"}     
    637   </li>
    638 </ul>
    639 </dd>
    640 
    641 <dt>{@code overridePins}</dt>
    642 <dd>
    643   <p>
    644     ,         .    {@code
    645     "true"},        ,      
    646  .     
    647          .
    648   </p>
    649 
    650   <p>
    651         {@code "false"},     {@code debug-overrides},
    652       {@code "true"}.
    653   </p>
    654 </dd>
    655 </dl>
    656 </dd>
    657 
    658 
    659 <h3 id="pin-set">&lt;pin-set&gt;</h3>
    660 
    661 <dl class="xml">
    662   <dt>
    663     :
    664   </dt>
    665 
    666   <dd>
    667 <pre class="stx">
    668 &lt;pin-set expiration="date"&gt;
    669 ...
    670 &lt;/pin-set&gt;
    671 </pre>
    672   </dd>
    673 
    674   <dt>
    675      :
    676   </dt>
    677 
    678   <dd>
    679       <code><a href="#pin">&lt;pin&gt;</a></code>
    680   </dd>
    681 
    682   <dt>
    683     :
    684   </dt>
    685 
    686   <dd>
    687        .     ,  
    688            .    
    689  <code><a href="#pin">&lt;pin&gt;</a></code>.
    690   </dd>
    691 
    692   <dt>
    693     :
    694   </dt>
    695 
    696   <dd>
    697     <dl class="attr">
    698       <dt>
    699         {@code expiration}
    700       </dt>
    701 
    702       <dd>
    703            {@code yyyy-MM-dd},      
    704    .     ,
    705     .
    706         <p>
    707                    , 
    708       ,     ,  
    709    .
    710         </p>
    711       </dd>
    712     </dl>
    713   </dd>
    714 </dl>
    715 
    716 <h3 id="pin">&lt;pin&gt;</h3>
    717 <dl class="xml">
    718   <dt>
    719     :
    720   </dt>
    721 
    722   <dd>
    723 <pre class="stx">
    724 &lt;pin digest=["SHA-256"]&gt;base64 encoded digest of X.509
    725     SubjectPublicKeyInfo (SPKI)&lt;/pin&gt;
    726 </pre>
    727   </dd>
    728 
    729   <dt>
    730     :
    731   </dt>
    732 
    733   <dd>
    734     <dl class="attr">
    735       <dt>
    736         {@code digest}
    737       </dt>
    738 
    739       <dd>
    740          ,    .      
    741  {@code "SHA-256"}.
    742       </dd>
    743     </dl>
    744   </dd>
    745 </dl>
    746