I have setup following to test the Flutter's network security based on the Android document in order to implement Certificate Pinning:
Note that I specified the domain-config for api.somesite.com. So the app should only accept somesite.com certificate.
Note that android:networkSecurityConfig="@xml/network_security_config" is set in the AndroidManifest.xml.
In order to test the pinning certificate, I have two HTTP calls to two endpoints. One is from api.somesite.com and another is a random api.
However, both API endpoints work using the network security setting.
I am not sure what I am doing wrong and why following the Android document for pinning certificate doesn't seem to have any effect on flutter itself.
Any help would be much appreciated.
Take a look at this article: Fix Cleartext Traffic Error in Android 9 Pie
You may have as much domains as you need inside domain-config:
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">somesite.com</domain>
<domain includeSubdomains="true">somesite2.com</domain>
</domain-config>
Don't add the domain with the "api." part.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With