Network Security Quiz

SECURITY › Security

An app targeting API 34 makes a plain http:// request to api.example.com and it fails with a cleartext-not-permitted error. What is the correct fix if the endpoint genuinely must stay HTTP?

Answer: Add a domain-config for that host with cleartextTrafficPermitted="true"

On Android 9+ cleartext is blocked by default; the scoped, recommended fix is a domain-config opting that single domain in with cleartextTrafficPermitted="true". A global flag or SDK downgrade is far broader and discouraged.

What value should the digest of an Android <pin> contain?

Answer: A Base64-encoded SHA-256 digest of the certificate's SPKI

Android pins are a Base64 SHA-256 digest of the SPKI (public key info). Pinning the public key, not the whole cert, lets the certificate be reissued with the same key without breaking the pin.

A team pins only their current leaf certificate's key with no backup. The CA reissues the cert with a new key. What happens?

Answer: Installed apps can't reach that host until an update ships a new pin

With no backup pin matching the new key, the TLS handshake fails the pin check for every already-installed app, breaking connectivity until an updated APK with the new pin is released. This is the core rotation risk of pinning.

Which statement about a raw SSLSocket is correct?

Answer: It encrypts traffic but does not verify the server hostname by default

SSLSocket validates the certificate chain but skips hostname verification, so you must verify the hostname yourself or an attacker with any valid cert could impersonate the host. HttpsURLConnection handles hostname verification for you.

Why is putting a third-party API key in the Android app (even in an encrypted string or native lib) fundamentally insecure?

Answer: The APK can be decompiled or read at runtime, so any secret leaks

Anything shipped in the client can be reverse-engineered or read from memory, so embedded secrets are recoverable. Real secrets must stay on a backend that proxies the call; the client should use short-lived tokens.

You want to trust a self-signed CA so you can intercept and inspect your app's traffic during development, without affecting production users. What is the safest mechanism?

Answer: Add the CA under <debug-overrides>, active only in debuggable builds

A <debug-overrides> trust-anchor is active only in debuggable (non-release) builds and is ignored otherwise, and Play rejects debuggable release builds, so it can't reach production. A trust-all TrustManager or base-config change would weaken the shipped app.

In a network_security_config.xml that has a base-config plus a domain-config for api.example.com, which policy applies to a request to other.example.org?

Answer: The base-config, since other.example.org matches no domain-config

domain-config rules apply only to their matching domains; everything else falls through to base-config, which defines the default policy for unmatched destinations. The most specific matching rule wins when one exists.

An app sets targetSdkVersion to 27 and ships no network_security_config.xml. It makes a plain http:// request. What happens?

Answer: The request succeeds, because cleartext is allowed by default for API 27 and below

The cleartext-blocked-by-default behavior kicks in for apps targeting API 28+. Apps targeting 27 or lower still permit cleartext by default, since the default is governed by targetSdk rather than the device's OS version.

What is the effect of setting an expiration date on a <pin-set>, and its main security tradeoff?

Answer: After expiry, pinning stops for the domain; an attacker past the date bypasses it

Once the expiration passes, pin enforcement is dropped for that domain, which keeps un-updated apps from losing connectivity but means an attacker who can outlast (or roll the device clock past) the date escapes pinning.

A domain-config declares <domain includeSubdomains="true">example.com</domain>. To which hosts does this configuration apply?

Answer: example.com and all of its subdomains, like api.example.com

includeSubdomains="true" extends the rule to the named domain and everything below it; without the attribute, the rule matches only the exact host listed.

Even over a correctly configured HTTPS/TLS connection, what can a passive network observer still typically determine?

Answer: The destination host via SNI and DNS, plus traffic size and timing

TLS encrypts the request and response contents, including the path, headers, and body, but the destination IP, the SNI server name, DNS lookups, and packet sizes/timing remain visible as metadata.

Besides the declarative <pin-set> in network_security_config.xml, how can an app enforce certificate pinning at runtime with OkHttp?

Answer: By adding a CertificatePinner to OkHttpClient with host SPKI SHA-256 pins

OkHttp exposes CertificatePinner, where you register a hostname plus one or more sha256/ SPKI pins that it enforces during the TLS handshake, serving as a programmatic alternative or complement to the XML pin-set.

To make certificate rotation less likely to break already-installed apps, pinning is often done against which certificate in the chain?

Answer: An intermediate or root CA public key, which stays stable across renewals

Leaf certificates are reissued frequently, so pinning the more stable intermediate/root CA public key (still an SPKI SHA-256 digest) survives routine leaf renewals; the tradeoff is widening trust to anything that CA signs.

By default, which trust anchors does an app targeting API 24 (Android 7.0) or higher use to validate TLS server certificates?

Answer: Only the preinstalled system CA store; user CAs are ignored

Since Android 7.0, apps trust only the system CA store by default and ignore user-installed CAs unless the network security config explicitly opts in (for example trust-anchors with src="user"), which protects users from rogue or coerced CA installs.

Back to Network Security