SSL connection fails with user-installed CA certificates on Android #4286
Description
Description
Mergin Maps application fails to establish a secure SSL/TLS connection on Android 7+ devices when the server certificate chains to a newer Root CA (Sectigo, issued 2021) not yet included in the Android system CA store on some devices. The connection fails even when the Root CA certificate is successfully deployed via Microsoft Intune MDM.
Root Cause Analysis:
Starting with Android 7.0 (Nougat), Android introduced significant changes to how apps handle certificate trust. Apps targeting API Level 24+ no longer trust user-installed or MDM-deployed certificates by default - they only trust pre-installed system CAs.
This means that even when an administrator successfully deploys a trusted Root CA certificate via Intune (or any other MDM), the Mergin Maps application ignores it because the app is not configured to trust certificates from the "user" certificate store.
Technical Details:
- Android Network Security Configuration changes: https://developer.android.com/privacy-and-security/security-config
- Microsoft documentation on Android certificate behavior: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/troubleshoot-android-certificates
Environment
- Production
Application (+ app version, build, operating system)
- App: Mergin Maps
- Version: Latest
- OS: Android
- OS Version: Android 7.0+ (API Level 24+)
- Device: Zebra TC26 (and other Android Enterprise managed devices)
Actual results
- Application throws a connection error
Expected results
- Application should trust the MDM-deployed Root CA certificate
- SSL/TLS connection should be established successfully
- API communication and data sync should work normally
Proposed Solution
The application needs to include a network_security_config.xml file that explicitly trusts user-installed certificates.
We did this with our in house app:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
<domain-config>
<domain includeSubdomains="true">*</domain>
<trust-anchors>
<certificates src="user"/>
<certificates src="system"/>
</trust-anchors>
</domain-config>
</network-security-config>
<application android:label="OurApp" android:allowBackup="false" android:fullBackupContent="false" android:networkSecurityConfig="@xml/network_security_config"></application>
Related Documentation
- Android Network Security Configuration: https://developer.android.com/privacy-and-security/security-config
- Android Security with HTTPS and SSL: https://developer.android.com/privacy-and-security/security-ssl
- Changes to Trusted CAs in Android Nougat: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
- Microsoft Intune Android Certificate Troubleshooting: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/troubleshoot-android-certificates