Android: trust user-installed CA certs via Network Security Config

[skylord123]

Problem

On Android, PKJS apps that open https/wss connections to a server using a self-signed or private-CA cert fail to connect, even after the user installs and trusts that cert on their device.

Since Android 7.0 (API 24), apps only trust the system CA store by default. The app targets targetSdk = 35 and ships no Network Security Config, so the WebView that runs PKJS (and its WebSocket connections) ignores the user CA store. The cert is trusted by the device but ignored by the app, and there's nothing the user can do on-device to fix it.

This came up with a Home Assistant PKJS app where users self-host with self-signed certs. The WebSocket fails the TLS handshake and closes immediately (abnormal close, 1006).

Fix

Add a Network Security Config that trusts the user store alongside the system store, and reference it from the manifest's <application> tag.

composeApp/src/androidMain/res/xml/network_security_config.xml:

<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

Manifest:

android:networkSecurityConfig="@xml/network_security_config"

iOS already honors user-trusted roots (NSURLSession, once "Full Trust" is enabled), so this brings Android in line.

Notes

• Closes Android: PKJS apps can't connect to servers using user-installed CA / self-signed certs (no Network Security Config) #247

[CLAassistant]

All committers have signed the CLA.