Introduction
When developing an Ionic Android app, security is a key concern, especially when dealing with authentication and network communications. Recently, security audits and pentesting feedback have raised concerns about certificate validation, hardcoded certificates, and Microsoft Intune compliance.
This guide provides a step-by-step approach to fixing these issues, ensuring:
- The app uses a valid, trusted CA-signed certificate
- No certificate pinning is required, allowing easy renewal
- The app remains compliant with Microsoft Intune policies
Let’s dive into the necessary fixes!
1. Use Network Security Configuration (NSC) for Android 7+
For Android 7+, Google recommends using a Network Security Configuration (NSC) file to define trusted CA certificates. This approach avoids certificate pinning while ensuring secure HTTPS connections.
How to Fix?
You need to create or update network_security_config.xml in your Android project.
📌 Fix: Update network_security_config.xml
Create a new file at res/xml/network_security_config.xml inside your Android project and add:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">yourserver.com</domain>
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</domain-config>
</network-security-config><?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig="@xml/network_security_config" ... > ... </application> </manifest>
🔹 What does this do?
✔ Ensures only system-trusted CA certificates are used (e.g., DigiCert, Let's Encrypt).
✔ Allows certificate renewal without requiring a rebuild.
✔ Prevents insecure HTTP (cleartext traffic).
2. Remove Any Hardcoded or Pinned Certificates
Hardcoding certificates or using certificate pinning can cause issues when a certificate is renewed. Ensure your Ionic app relies on system-trusted CA stores instead of manually adding certificates.
📌 Fix: Remove custom SSL handling in the app
If using Angular HTTP Client:
Ensure your app makes secure requests without custom SSL validation:
this.httpClient.get('https://yourserver.com/api/data').subscribe(response => {
console.log(response);
});If using Capacitor HTTP:
Make sure it’s set up correctly for secure requests:
import { Http } from '@capacitor-community/http';
const response = await Http.get({ url: 'https://yourserver.com/api/data' });
console.log(response);✔ Do not manually install certificates in your app bundle.
✔ Use only system-trusted certificates to allow automatic renewal.
3. Ensure TLS Enforcement in Microsoft Intune (Optional for Intune only)
For organizations using Microsoft Intune, it is essential to ensure TLS security without requiring certificate pinning.
📌 Fix: Check Intune App Protection Policies
- Go to Microsoft Intune Admin Center
- Navigate to Apps → App protection policies
- Ensure:
- TLS is enforced ✅
- Certificate pinning is not required ✅
- The new certificate is properly deployed ✅
This ensures that if a server certificate is renewed, your app will continue working without requiring an update.
4. Verify Certificate Trust on the Device
Some enterprise Android devices block third-party CAs unless explicitly allowed. If users report SSL errors, ensure the certificate is installed and trusted.
📌 Fix: Test on a real Android device
Use Android Debug Bridge (ADB) to verify trusted CA certificates:
adb shell dumpsys security | grep "CA Certificates"✔ If your CA is missing, the device might be restricting it. You may need to update device security policies.
Final Checklist ✅
✔ Use Network Security Configuration (NSC) ✅
✔ Remove certificate pinning from the app ✅
✔ Ensure Intune policies allow TLS without pinning (Optional - if Managed workflow) ✅
✔ Test that the device trusts the CA ✅
Following these steps will ensure that your Ionic Android app is secure, compliant, and resilient to certificate renewals. 🚀
Thanks By Naveen