Dealing with self signed or private CA trusted certificates on Android native apps

Avatar
Permanently deleted user
  • Updated

Problem

You're seeing Connection Not Private errors or ERR_CERT_AUTHORITY_INVALID errors on your native app. These might also show up as "Connection not available" or a similar error depending on your application.

Summary

 

Starting with Android 7.0, Google set stricter rules on how applications and emulators trust user/admin added certificates.

 

Before, adding your custom SSL certificate to the emulator (which in Sauce's case we did by adding our custom Sauce Labs Tunnel Proxy certificate. which is used by Sauce Connect) would be enough to ensure a successful connection.   This is no longer the case. Your application itself needs to have this certificate for the connection to be trusted. This is discussed a bit more in detail in this post from the Android Developer's blog.    There are two scenarios that would affected by this:

  1. The URL your app is trying to hit does not have a public CA trusted certificate (this is common on dev/staging/private environments)
  2. You are trying to use an intercepting proxy like Charles to view, analyze and modify traffic

What does this mean for you? You have two options depending on your setup, and the original certificate of your server.

 

💡 Both of these options require changes to the Android app being used and will likely need a developer or someone with access to the app source code to do this change💡 

 

Option 1 - Add your own certificate onto your app

 

Trust the self-signed/non-public CA trusted certificate within the Android app and use -B all on your Sauce Connect tunnel to avoid Sauce’s re-encryption.

 

The post in the Developer's Blog linked above explains how to do this. The process involves adding the certificate file to your app by creating a network configuration file, and telling your app to trust it. As an example, this is what a network_security_config.xml file would look like:

 

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="@raw/selfsigned_ca" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

 

where @raw/selfsigned_ca is the path to res/raw/selfsigned_cawhich contains my site's certificate.

 

You then add this file to your AndroidManifest.xml with the android:networkSecurityConfig attribute, as explained in this page on Network Security Configuration in the Android Developers documentation.

 

Pros

  • Add your own certificate onto your app

Cons

  • If using something like Charles where multiple Charles instances have different certificates, the list of certificates to be added can be long
  •  

Option 2 - Add Sauce’s Sauce Labs Tunnel Proxy certificate

 

In this scenario we will also add the certificate as mentioned on Option 1 but we will remove -B all and instead res/raw/selfsigned_ca will be Sauce’s own certificate.

 

Pros

  • No need to handle multiple certificates if multiple proxies are being used

Cons

  • If Sauce were to change this certificate we cannot guarantee there would be an announcement on this and could break your tests (the odds of this happening are low as this certificate is managed by us and not due for renewal until 2028)

You can find this certificate here.

 

Products

Global Tools

Set Up And Integrate

Resources

Company

© 2023 Sauce Labs Inc., all rights reserved. SAUCE and SAUCE LABS are registered trademarks owned by Sauce Labs Inc. in the United States, EU, and may be registered in other jurisdictions.