PTKDMobile App Security
Knowledge base / PTKD-NET-USERCA
high M5 MASVS-NETWORK-2 static analysis PTKD-NET-USERCA

Network config trusts user-installed CAs

The network-security-config adds the 'user' trust anchor, so any CA the device user installs (or is tricked into installing) is trusted, a classic MITM/interception foothold.

How it's exploited

A user is tricked into installing a "VPN profile" or corporate certificate. Because the app trusts user-installed CAs, that certificate lets an interception proxy decrypt and rewrite all of the app's TLS traffic.

Why it matters

Full TLS interception: credentials, tokens, and personal data exposed to whoever controls the installed CA.

How to fix it

  1. Remove <certificates src="user"/> from the production trust-anchors.
  2. Trust only the system store in release builds; keep user CAs inside <debug-overrides> if QA needs a proxy.
  3. Add certificate pinning for your API domains where rotation is under your control.
Trust anchors: system only in release
<base-config>
  <trust-anchors><certificates src="system"/></trust-anchors>
</base-config>
<debug-overrides>
  <trust-anchors><certificates src="user"/></trust-anchors>
</debug-overrides>

References