
Changes to Trusted Certificate Authorities in Android Nougat - 04rob
http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html
======
04rob
Does this mean that users will no longer be able to MITM most apps on their
own phone by installing a custom cert and proxying all requests through
another machine?

 _User-added CAs

Protection of all application data is a key goal of the Android application
sandbox. Android Nougat changes how applications interact with user- and
admin-supplied CAs. By default, apps that target API level 24 will—by
design—not honor such CAs unless the app explicitly opts in. This safe-by-
default setting reduces application attack surface and encourages consistent
handling of network and file-based application data._

~~~
mrb
Yep. Now to MitM an app you will have to decompile it, tweak its network
security config¹ to allow user CAs, recompile, and reinstall via adb. But if
you need to MitM because you are reverse engineering, none of these steps are
problematic since you are already doing most of them anyway.

¹ [https://developer.android.com/preview/features/security-
conf...](https://developer.android.com/preview/features/security-
config.html#manifest)

