1 page.title= 2 page.keywords=androidn,security,network 3 page.image=images/cards/card-nyc_2x.jpg 4 5 @jd:body 6 7 <div id="tb-wrapper"> 8 <div id="tb"> 9 10 <h2></h2> 11 <ol> 12 <li><a href="#manifest"></a></li> 13 <li><a href="#CustomTrust"> CA</a> 14 <ol> 15 <li><a href="#ConfigCustom"> CA</a></li> 16 <li><a href="#LimitingCas"> CA </a></li> 17 <li><a href="#TrustingAdditionalCas"> CA</a></li> 18 </ol> 19 </li> 20 <li><a href="#TrustingDebugCa"> CA</a></li> 21 <li><a href="#UsesCleartextTraffic"></a></li> 22 <li><a href="#CertificatePinning"></a></li> 23 <li><a href="#ConfigInheritance"></a></li> 24 <li><a href="#FileFormat"></a></li> 25 </ol> 26 </div> 27 </div> 28 29 30 <p> 31 Android N 32 33 34 35 36 </p> 37 38 <ul> 39 <li> 40 <b></b> (CA) 41 CA 42 43 44 </li> 45 46 <li> 47 <b></b> 48 49 </li> 50 51 <li> 52 <b></b> 53 54 </li> 55 56 <li> 57 <b></b> 58 59 </li> 60 </ul> 61 62 63 <h2 id="manifest"></h2> 64 65 <p> 66 XML 67 68 69 70 </p> 71 72 <pre> 73 <?xml version="1.0" encoding="utf-8"?> 74 ... 75 <app ...> 76 <meta-data android:name="android.security.net.config" 77 android:resource="@xml/network_security_config" /> 78 ... 79 </app> 80 </pre> 81 82 <h2 id="CustomTrust"> CA</h2> 83 84 <p> 85 CA CA 86 87 </p> 88 89 <ul> 90 <li> ( CA ) 91 92 </li> 93 94 <li> CA CA CA 95 96 </li> 97 98 <li> CA 99 </li> 100 </ul> 101 102 <p> 103 CA API 23 (Android M) CA 104 105 {@code base-config} () {@code domain-config} () 106 107 108 109 </p> 110 111 112 <h3 id="ConfigCustom"> CA</h3> 113 114 <p> 115 SSL SSL CA CA 116 117 118 </p> 119 120 <p> 121 <code>res/xml/network_security_config.xml</code> 122 <pre> 123 <?xml version="1.0" encoding="utf-8"?> 124 <network-security-config> 125 <domain-config> 126 <domain includeSubdomains="true">example.com</domain> 127 <trust-anchors> 128 <certificates src="@raw/my_ca"/> 129 </trust-anchors> 130 </domain-config> 131 </network-security-config> 132 </pre> 133 </p> 134 135 <p> 136 PEM DER CA 137 {@code res/raw/my_ca} 138 </p> 139 140 141 <h3 id="LimitingCas"> CA </h3> 142 143 <p> 144 CA CA 145 CA 146 147 </p> 148 149 <p> 150 CA <a href="#TrustingACustomCa"> CA</a> () CA 151 152 </p> 153 154 <p> 155 <code>res/xml/network_security_config.xml</code> 156 <pre> 157 <?xml version="1.0" encoding="utf-8"?> 158 <network-security-config> 159 <domain-config> 160 <domain includeSubdomains="true">secure.example.com</domain> 161 <domain includeSubdomains="true">cdn.example.com</domain> 162 <trust-anchors> 163 <certificates src="@raw/trusted_roots"/> 164 </trust-anchors> 165 </domain-config> 166 </network-security-config> 167 </pre> 168 </p> 169 170 <p> 171 PEM DER CA {@code res/raw/trusted_roots} 172 PEM PEM <em></em> 173 174 <a href="#certificates"><code><certificates></code></a> 175 176 </p> 177 178 179 <h3 id="TrustingAdditionalCas"> 180 CA 181 </h3> 182 183 <p> 184 CA CA CA Android 185 186 187 188 189 </p> 190 <p> 191 <code>res/xml/network_security_config.xml</code> 192 <pre> 193 <?xml version="1.0" encoding="utf-8"?> 194 <network-security-config> 195 <base-config> 196 <trust-anchors> 197 <certificates src="@raw/extracas"/> 198 <certificates src="system"/> 199 </trust-anchors> 200 </base-config> 201 </network-security-config> 202 </pre> 203 </p> 204 205 206 <h2 id="TrustingDebugCa"> CA </h2> 207 208 <p> 209 HTTPS SSL 210 211 {@code debug-overrides} CA <a href="{@docRoot}guide/topics/manifest/application-element.html#debug"> 212 android:debuggable</a> 213 {@code true} <i></i> 214 215 IDE 216 217 </p> 218 219 <p> 220 221 222 223 </p> 224 225 <p> 226 <code>res/xml/network_security_config.xml</code> 227 <pre> 228 <?xml version="1.0" encoding="utf-8"?> 229 <network-security-config> 230 <debug-overrides> 231 <trust-anchors> 232 <certificates src="@raw/debug_cas"/> 233 </trust-anchors> 234 </debug-overrides> 235 </network-security-config> 236 </pre> 237 </p> 238 239 240 <h2 id="UsesCleartextTraffic"></h2> 241 242 <p> 243 ( HTTP HTTPS) 244 245 () URL 246 247 248 {@link android.security.NetworkSecurityPolicy#isCleartextTrafficPermitted 249 NetworkSecurityPolicy.isCleartextTrafficPermitted()} 250 </p> 251 252 <p> 253 HTTPS 254 255 256 </p> 257 258 <p> 259 <code>res/xml/network_security_config.xml</code> 260 <pre> 261 <?xml version="1.0" encoding="utf-8"?> 262 <network-security-config> 263 <domain-config usesCleartextTraffic="false"> 264 <domain includeSubdomains="true">secure.example.com</domain> 265 </domain-config> 266 </network-security-config> 267 </pre> 268 </p> 269 270 271 <h2 id="CertificatePinning"></h2> 272 273 <p> 274 CA CA MiTM 275 276 CA 277 278 </p> 279 280 <p> 281 (X.509 SubjectPublicKeyInfo) 282 283 284 285 </p> 286 287 <p> 288 CA ( CA CA ) 289 290 291 292 293 </p> 294 295 <p> 296 297 298 299 300 </p> 301 302 <p> 303 <code>res/xml/network_security_config.xml</code> 304 <pre> 305 <?xml version="1.0" encoding="utf-8"?> 306 <network-security-config> 307 <domain-config> 308 <domain includeSubdomains="true">example.com</domain> 309 <pin-set expiration="2018-01-01"> 310 <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin> 311 <!-- backup pin --> 312 <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin> 313 </domain-config> 314 </network-security-config> 315 </pre> 316 </p> 317 318 319 <h2 id="ConfigInheritance"></h2> 320 321 <p> 322 323 324 </p> 325 326 <p> 327 328 {@code domain-config} {@code domain-config} {@code 329 base-config} 330 {@code base-config} 331 332 </p> 333 334 <p> 335 {@code 336 example.com} CA {@code 337 secure.example.com} 338 <em></em> {@code example.com} {@code 339 secure.example.com} 340 {@code trust-anchors} 341 </p> 342 343 <p> 344 <code>res/xml/network_security_config.xml</code> 345 <pre> 346 <?xml version="1.0" encoding="utf-8"?> 347 <network-security-config> 348 <domain-config> 349 <domain includeSubdomains="true">example.com</domain> 350 <trust-anchors> 351 <certificates src="@raw/my_ca"/> 352 </trust-anchors> 353 <domain-config cleartextTrafficPermitted="false"> 354 <domain includeSubdomains="true">secure.example.com</domain> 355 </domain-config> 356 </domain-config> 357 </network-security-config> 358 </pre> 359 </p> 360 361 362 <h2 id="FileFormat"></h2> 363 364 <p> 365 XML 366 367 </p> 368 369 <pre> 370 <?xml version="1.0" encoding="utf-8"?> 371 <network-security-config> 372 <base-config> 373 <trust-anchors> 374 <certificates src="..."/> 375 ... 376 </trust-anchors> 377 </base-config> 378 379 <domain-config> 380 <domain>android.com</domain> 381 ... 382 <trust-anchors> 383 <certificates src="..."/> 384 ... 385 </trust-anchors> 386 <pin-set> 387 <pin digest="...">...</pin> 388 ... 389 </pin-set> 390 </domain-config> 391 ... 392 <debug-overrides> 393 <trust-anchors> 394 <certificates src="..."/> 395 ... 396 </trust-anchors> 397 </debug-overrides> 398 </network-security-config> 399 </pre> 400 401 <p> 402 403 404 </p> 405 406 <h3 id="network-security-config"> 407 <network-security-config> 408 </h3> 409 410 <dl class="xml"> 411 <dt> 412 413 </dt> 414 415 <dd> 416 0 1 <code><a href="#base-config"><base-config></a></code><br> 417 <code><a href= 418 "#domain-config"><domain-config></a></code><br> 419 0 1 <code><a href="#debug-overrides"><debug-overrides></a></code> 420 </dd> 421 </dl> 422 423 <h3 id="base-config"> 424 <base-config> 425 </h3> 426 427 <dl class="xml"> 428 <dt> 429 430 </dt> 431 </dl> 432 433 <pre class="stx"> 434 <base-config <a href= 435 "#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]> 436 ... 437 </base-config> 438 </pre> 439 <dl class="xml"> 440 <dt> 441 442 </dt> 443 444 <dd> 445 <code><a href="#trust-anchors"><trust-anchors></a></code> 446 </dd> 447 448 <dt> 449 450 </dt> 451 452 <dd> 453 <a href="#domain-config"><code>domain-config</code></a> 454 455 456 <p> 457 API 24 458 459 </p> 460 461 <pre> 462 <base-config usesCleartextTraffic="true"> 463 <trust-anchors> 464 <certificates src="system" /> 465 </trust-anchors> 466 </base-config> 467 </pre> 468 API 23 469 <pre> 470 <base-config usesCleartextTraffic="true"> 471 <trust-anchors> 472 <certificates src="system" /> 473 <certificates src="user" /> 474 </trust-anchors> 475 </base-config> 476 </pre> 477 478 </dd> 479 </dl> 480 481 <h3 id="domain-config"><domain-config></h3> 482 <dl class="xml"> 483 <dt></dt> 484 <dd> 485 <pre class="stx"><domain-config <a href="#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]> 486 ... 487 </domain-config></pre> 488 </dd> 489 490 <dt></dt> 491 492 <dd> 493 1 <code><a href="#domain"><domain></a></code> 494 <br/>0 1 <code><a href="#trust-anchors"><trust-anchors></a></code> 495 <br/>0 1 <code><a href="#pin-set"><pin-set></code></a> 496 <br/> <code><domain-config></code></dd> 497 498 <dt></dt> 499 <dd> {@code domain} 500 501 <p> {@code domain-config} () 502 </p></dd> 503 </dl> 504 505 506 <h3 id="domain"><domain></h3> 507 508 <dl class="xml"> 509 <dt> 510 511 </dt> 512 513 <dd> 514 <pre class="stx"> 515 <domain includeSubdomains=["true" | "false"]>example.com</domain> 516 </pre> 517 </dd> 518 519 <dt> 520 521 </dt> 522 523 <dd> 524 <dl class="attr"> 525 <dt> 526 {@code includeSubdomains} 527 </dt> 528 529 <dd> 530 {@code "true"} 531 532 533 </dd> 534 </dl> 535 </dd> 536 537 <dt> 538 539 </dt> 540 </dl> 541 542 <h3 id="debug-overrides"><debug-overrides></h3> 543 544 <dl class="xml"> 545 <dt> 546 547 </dt> 548 549 <dd> 550 <pre class="stx"> 551 <debug-overrides> 552 ... 553 </debug-overrides> 554 </pre> 555 </dd> 556 557 <dt> 558 559 </dt> 560 561 <dd> 562 0 1 <code><a href="#trust-anchors"><trust-anchors></a></code> 563 </dd> 564 565 <dt> 566 567 </dt> 568 569 <dd> 570 <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> 571 {@code "true"} ( IDE ) 572 {@code 573 debug-overrides} 574 575 <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> 576 {@code "false"} 577 </dd> 578 </dl> 579 580 <h3 id="trust-anchors"><trust-anchors></h3> 581 <dl class="xml"> 582 <dt> 583 584 </dt> 585 586 <dd> 587 <pre class="stx"> 588 <trust-anchors> 589 ... 590 </trust-anchors> 591 </pre> 592 </dd> 593 594 <dt> 595 596 </dt> 597 598 <dd> 599 <code><a href="#certificates"><certificates></a></code> 600 </dd> 601 602 <dt> 603 604 </dt> 605 606 <dd> 607 608 </dd> 609 </dl> 610 611 612 <h3 id="certificates"><certificates></h3> 613 <dl class="xml"> 614 <dt></dt> 615 <dd><pre class="stx"><certificates src=["system" | "user" | "<i>raw resource</i>"] 616 overridePins=["true" | "false"] /> 617 </pre></dd> 618 <dt></dt> 619 <dd> {@code trust-anchors} X.509 </dd> 620 621 <dt></dt> 622 <dd><dl class="attr"> 623 <dt>{@code src}</dt> 624 <dd> 625 CA X.509 626 <ul> 627 <li> 628 DER PEM PEM PEM 629 <em></em> 630 631 </li> 632 633 <li>{@code "system"} CA 634 </li> 635 636 <li>{@code "user"} CA 637 </li> 638 </ul> 639 </dd> 640 641 <dt>{@code overridePins}</dt> 642 <dd> 643 <p> 644 CA {@code 645 "true"} CA 646 CA MiTM 647 648 </p> 649 650 <p> 651 {@code "false"} {@code debug-overrides} 652 {@code "true"} 653 </p> 654 </dd> 655 </dl> 656 </dd> 657 658 659 <h3 id="pin-set"><pin-set></h3> 660 661 <dl class="xml"> 662 <dt> 663 664 </dt> 665 666 <dd> 667 <pre class="stx"> 668 <pin-set expiration="date"> 669 ... 670 </pin-set> 671 </pre> 672 </dd> 673 674 <dt> 675 676 </dt> 677 678 <dd> 679 <code><a href="#pin"><pin></a></code> 680 </dd> 681 682 <dt> 683 684 </dt> 685 686 <dd> 687 688 689 <code><a href="#pin"><pin></a></code> 690 </dd> 691 692 <dt> 693 694 </dt> 695 696 <dd> 697 <dl class="attr"> 698 <dt> 699 {@code expiration} 700 </dt> 701 702 <dd> 703 {@code yyyy-MM-dd} 704 705 706 <p> 707 708 709 710 </p> 711 </dd> 712 </dl> 713 </dd> 714 </dl> 715 716 <h3 id="pin"><pin></h3> 717 <dl class="xml"> 718 <dt> 719 720 </dt> 721 722 <dd> 723 <pre class="stx"> 724 <pin digest=["SHA-256"]>base64 encoded digest of X.509 725 SubjectPublicKeyInfo (SPKI)</pin> 726 </pre> 727 </dd> 728 729 <dt> 730 731 </dt> 732 733 <dd> 734 <dl class="attr"> 735 <dt> 736 {@code digest} 737 </dt> 738 739 <dd> 740 741 {@code "SHA-256"} 742 </dd> 743 </dl> 744 </dd> 745 </dl> 746
