Support user-installed certificates in Android Expo app.

[collink]

Installing root certificates on iOS is enough to get them to be trusted, but Android requires extra configuration to AndroidManifest.xml in the form of adding a reference to (and creating) a network security config XML file.

I'm trying to get AppAuth working in a managed app using internal dev servers with self-signed certificates. On iOS this works after installed the server's root certificate and marking it as trusted. On Android though, it fails immediately with a "Network error" and no other stack trace. After MUCH digging, I figured out that it was an SSL issue, and that it was because by default, Android apps no longer trust user-installed certificates.

I was able to test this by unpacking the Expo APK, making the modifications and re-packing it and installing it on my device. I created res/xml/network_security_config.xml, which looked like this:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
        <base-config cleartextTrafficPermitted="true">
                <trust-anchors>
                        <certificates src="system" />
                        <certificates src="user" />
                </trust-anchors>
        </base-config>
</network-security-config>

Then I modified AndroidManifest.xml by adding this to the <application>:

android:networkSecurityConfig="@xml/network_security_config"

The result is that I'm now able to hit my dev auth server with no issue with the certificate installed, and without the certificate installed I get the typical Chrome "Your connection is not private" screen and am allowed to continue to my auth server.

[cruzach]

I think if you're looking for this behavior, this best option is to use the bare workflow. Although it's missing some of the features of the managed workflow right now, that will change once we release SDK 37 😄

Otherwise, since this isn't a big report and probably fits in better with our other feature requests, I'm going to close this issue

[collink]

So things like OTA updates and push notifications are going to work in the bare workflow as of SDK 37?

[cruzach]

Yes! that's what we have planned

[collink]

Do you have a ballpark on a release date for when that might be released?

[cruzach]

Should release SDK 37 by march 31

[atefwahab]

has it released yet?

[olarcher]

You can now use config plugins to modify AndroidManifest.xml and remain in the managed workflow (though you will lose the ability to use Expo Go and need a custom dev client)

[RichardSleet]

Same issue

[senicko]

This is really needed. I've been trying to connect with my https backend for 4 hours already.

[olarcher]

@senicko this is how I ended up solving the issue (you will need to create a custom dev client but will remain in the managed workflow):

https://stackoverflow.com/a/70775576/4350421

[ArthurGG12]

Incase you've been a victim of fake investment platforms, fake real estate agents, romance scams, fake loan agencies or any other type of online scams worry no more. I wish to inform you all about the charge back experts ( FLASHRECLAIM G MAIL COM or FLASHRECLAIM OUT LOOK COM )which has proven to be invaluable in helping me retrieve funds following my unfortunate encounter with a fraudulent scheme. Should you require assistance with financial recovery, I highly recommend consulting their services as they have demonstrated exceptional proficiency in this field.