At one of my former jobs, I was working on an automated testing product that could MITM requests (for testing analytics, etc.)
Android has this really annoying feature where apps don't trust self-signed CA certs (but Chrome & webviews do, strangely). You either need to need to add it to the app's network_security_config.xml, or root the device and add it as a system CA.
I looked into using apktool as part of a pipeline to inject our self-signed CA as a custom trust anchor when customers uploaded their APK for testing. But in the end, we found it was easier and simpler to just add a the cert as a system CA on a custom rooted AVD.
That whole project really made me appreciate that no matter how shit I feel web dev is some days, at least I'm not an android developer.
Android has this really annoying feature where apps don't trust self-signed CA certs (but Chrome & webviews do, strangely). You either need to need to add it to the app's network_security_config.xml, or root the device and add it as a system CA.
I looked into using apktool as part of a pipeline to inject our self-signed CA as a custom trust anchor when customers uploaded their APK for testing. But in the end, we found it was easier and simpler to just add a the cert as a system CA on a custom rooted AVD.
That whole project really made me appreciate that no matter how shit I feel web dev is some days, at least I'm not an android developer.