mobile: Add support for trusting user-added CAs on Android

shrizza · shrizza · commit def1499fad87 · 2022-10-31T01:29:16.000+09:00
diff --git a/android/app/src/main/AndroidManifest.xml b/android/app/src/main/AndroidManifest.xml
@@ -67,7 +67,8 @@
         android:allowBackup="true"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
-        android:theme="@style/AppTheme">
+        android:theme="@style/AppTheme"
+        android:networkSecurityConfig="@xml/network_security_config">
         <activity
             android:name=".MainActivity"
             android:exported="true"
diff --git a/android/app/src/main/res/xml/network_security_config.xml b/android/app/src/main/res/xml/network_security_config.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- This config was created to address: https://github.com/zulip/zulip-mobile/issues/3312 -->
+<network-security-config>
+      <base-config>
+           <!-- Trusting user-supplied CAs now requires opt-in, and we are doing so here -->
+           <trust-anchors>
+                <certificates src="system" />
+                <certificates src="user" />
+           </trust-anchors>
+      </base-config>
+      <domain-config>
+           <!-- Do not trust user-supplied certs for the following Zulip-owned domains (including subdomains) -->
+           <domain includeSubdomains="true">zulipchat.com</domain>
+           <domain includeSubdomains="true">zulip.org</domain>
+           <domain includeSubdomains="true">zulip.com</domain>
+           <trust-anchors><certificates src="system" /></trust-anchors>
+      </domain-config>
+ </network-security-config>
+<!-- Reference: https://developer.android.com/training/articles/security-config#FileFormat -->
