Tutorial: How to connect from Android emulator to local ASP.NET Core web app

[Eilon]

Background

Hi everyone,

A common scenario for .NET MAUI apps is to have a multi-platform client app that connects to a server, which often runs on ASP.NET Core. One of the challenges today is that Android emulators don't trust the HTTPS SSL certificate used by ASP.NET Core, because ASP.NET Core uses a local development certificate, and causes HTTPS connections to fail.

I decided to make a new attempt at fixing this problem, and comparing it to other existing or experimental solutions.

Exceptions you might be hitting

How do you know if this affects you? Aside from the API calls not working, you'll typically see one of these exception messages in the output window of Visual Studio:

1. javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2. Hostname 10.0.2.2 not verified

Solution comparison

Here are the solutions I'm aware of:

1. Use HTTP instead of HTTPS, but only during development. This avoid the problem entirely, is free, but requires small changes to the .NET MAUI app and the server app to both use HTTP instead of HTTPS, only at development time. Some changes are being made to the ASP.NET Core templates to make it easier to work with HTTP, but that is not always an option due to auth requirements, or other security matters. However, if it is an option for your app, it is an easy option.
2. Use experimental HTTPS connection helpers in .NET MAUI (see below), which is a small set of classes you can add to your project that make SSL work. This requires minimal changes to only the .NET MAUI app to use the new connection helper during development, but no other changes.
3. Use Visual Studio Port Tunneling, an experimental feature that uses Azure to create a tunnel between the emulator and the target API. This requires no changes to the app itself (it requires a small VS configuration file change in the app), and can work from more than just a local emulator, such as from a physical device anywhere on the internet. There is a preview tier that is free, and in the future there may be additional free and/or paid options.
4. Publish the web app to a remote test server and use a real SSL certificate. This option will work from anywhere, but can be slow (publishing takes time), and has the cost of server resources. Also, this option is not as friendly to multi-developer environments, because each engineer would need their own test server. It is more difficult to debug the API because it is running on a remote server.

Experimental HTTPS connection helpers

While working on a sample app, I developed some helpers that I wanted to share and get feedback on. The helper takes in some basic settings, such as var devSslHelper = new DevHttpsConnectionHelper(sslPort: 7155);, and then offers some helper methods to establish HTTPS connection that work from an Android emulator (in addition to working elsewhere).

Android Emulator calling ASP.NET Core web API

To use the helper to make an HTTPS connection to a local server, such as to call a web API, here's what you would write:

var devSslHelper = new DevHttpsConnectionHelper(sslPort: 7155);
var http = devSslHelper.HttpClient;
var response = await http.GetStringAsync(devSslHelper.DevServerRootUrl + "/webapi/12345");

Android Emulator connecting ASP.NET Core SignalR hub

To use the helper to make a SignalR connection, you would write:

var hubConnection = new HubConnectionBuilder()
#if ANDROID
    .WithUrl(devSslHelper.DevServerRootUrl + "/myhub"
        , configureHttpConnection: o =>
        {
            o.HttpMessageHandlerFactory = m => devSslHelper.GetPlatformMessageHandler();
        }
        )
#else
    .WithUrl(devSslHelper.DevServerRootUrl + "/myhub")
#endif
    .Build();

hubConnection.On<...>("HubApi", ...);

await hubConnection.StartAsync();

How it works

The helper has platform-specific code that configures connections properly to work on each platform (right now only Windows and Android are supported; iOS and MacCatalyst will follow). On Android, the helpers handle certain SSL Certificate checks by indicating that the ASP.NET Core Development Certificate should be trusted, and to allow the HTTPS connection attempt to succeed. Without this logic, the self-signed certificate would be considered untrusted, and the connection would fail.

How to use the connection helpers?

These are experimental helpers, so it involves adding some code to your project. First, copy this code into a new file in your app: https://gist.github.com/Eilon/49e3c5216abfa3eba81e453d45cba2d4

And then use the code seen above to make web API or SignalR connections to your server.

Comparison table

This table summarizes the pros/cons of each approach:

	Use HTTP	DevHttps helper	VS Port Tunnel	Test server
Inner loop while making changes	✔️ Fast	✔️ Fast	✔️ Fast	❌ Slow
Price €$¥	✔️ Free	✔️ Free	✔️ Free (❓ might have paid tiers in the future)	❌ Server cost
Possible to attach debugger	✔️ Yes	✔️ Yes	✔️ Yes	✔️ Yes for client, ♦️ Not trivial for server
Requires changing the app	❌ Yes (client+server)	❌ Yes (client)	✔️ No (only VS settings change)	✔️ No
Works externally (not just local emulator)	❌ No	❌ No	✔️ Yes	✔️ Yes

Other resources

The .NET documentation includes some relevant resources:

• Connect to local web services from iOS simulators and Android emulators
• HttpClient Stack and SSL/TLS Implementation Selector for Android

Feedback

We'd love to hear whether you've run into issues like this and if any of these solutions are interesting to you.

This is a work in progress, so please share your questions, comments, concerns, and any other thoughts on this!

Thank you for reading this,
Eilon

[jfversluis]

I love this idea, thank you Eilon! It was just this week where I had to explain all of this to a junior developer and realized that this is not a straight-forward thing for people that are just starting out. It's time we start making this easier.

A few things from the top of my head:

• It seems like we're still going to make changes to our own code (for instance, making that SignalR connection) and that would have to happen in multiple places depending on how our code is structured. Ideally, if I had a magic wand and not care about how realistic it is, I think I would love to have a one liner, maybe in our Host Builder that does everything needed to either connect through https or maybe just disable the https requirement and we wrap it in #if DEBUG. That way we have a single place to make this easier for people, it can be in the templates and people would just have to add their IP address.
• By adding our own message handler and such, how is that going to work with people having their own custom message handler and requirements in that are? At the same time that probably is a non-issue. People who need that probably know their way around how to handle this whole scenario and the group of people needing this is probably relatively small. Just want to make sure we think about all angles

[Eilon]

• It seems like we're still going to make changes to our own code (for instance, making that SignalR connection) and that would have to happen in multiple places depending on how our code is structured. Ideally, if I had a magic wand and not care about how realistic it is, I think I would love to have a one liner, maybe in our Host Builder that does everything needed to either connect through https or maybe just disable the https requirement and we wrap it in #if DEBUG. That way we have a single place to make this easier for people, it can be in the templates and people would just have to add their IP address.

Right, that's definitely a limitation of the current helper prototype. If at least the concept is interesting, I will try to come up with ways for this to work more seamlessly. I don't think we can fix it 100% for all arbitrary code using any technique like this, because there could be components that hard-code certain things, but, then, they wouldn't work anyway.

• By adding our own message handler and such, how is that going to work with people having their own custom message handler and requirements in that are? At the same time that probably is a non-issue. People who need that probably know their way around how to handle this whole scenario and the group of people needing this is probably relatively small. Just want to make sure we think about all angles

Message handlers can be chained, though my current approach doesn't allow for that, so I'll look into making that possible.

[Eagle3386]

Besides @jfversluis perfect answer (especially his first point), I'd like to add to your 4th solution comparison (remote test server & real TLS certificate) that this fails in all my tests, even with public servers like github.com:

Android Emulator is running with its default image for Android 11 (API level 30), but launching my MAUI app (stripped down to do nothing but send an HTTP GET request to aforementioned domain) fails with a Java.Security.Cert.CertificateException: 'The remote certificate was rejected by the provided RemoteCertificateValidationCallback.' which throws because the callback of your kindly provided gist returns falls.

However, the (almost, see below) real culprit occurs a couple of lines earlier where Xamarin's X509TrustManagerWithValidationCallback catches any JavaCertificateException while executing the internal (i. e. Android?) TrustManager & adds SslPolicyErrors.RemoteCertificateChainErrors:

https://github.com/xamarin/xamarin-android/blob/3d5231ca3a094b85302b5dbd3cc074be37efa2c0/src/Mono.Android/Xamarin.Android.Net/X509TrustManagerWithValidationCallback.cs#L56-L60

Since GitHub doesn't allow cross-repo inline code, here's the relevant excerpt:

try {
  _internalTrustManager?.CheckServerTrusted (javaChain, authType);
} catch (JavaCertificateException) {
  sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
}

As you can see, it does so without adding e. g. the exception's message to ChainStatus which is why I've got zero chance of getting to know the actual, real root cause of that very chain validation failure.
Like I already wrote over at dotnet/runtime#62966, I've got zero clue/indication what I need to change/fix in order to get the validation succeed:

So, please, just for the life of me: what do I need to do to improve your gist's code or something inside my own code that I either see the root cause or better yet, get Android's chain validation to succeed?

[simonrozsival]

@Eagle3386 Thanks for the detailed report. If I understand it correctly then the problem was that the custom validation callback was called with errors != None which you didn't expect and there was no debugging information (e.g., ChainStatus) that would help you diagnose the problem. Maybe we need to revisit how we prepare the parameters for the callback. Feel free to file an issue in xamarin-android.

[Eagle3386]

@simonrozsival 100% correct, plus the callback's chain.ExtraStore property showed 3 certs (CA, intermediate & server's cert) where it should've shown 4 (incl. the wrongly added kestrel.cer as I already explained above).

Regarding your suggestion to file an issue over at xamarin-android, I wonder if that's the optimal place for my issue. Because almost 3 years ago, @buyaa-n seemed to open dotnet/runtime#30522 for ChainStatus & @bartonjs closed it.
And the even longer opened issue mono/mono#6315 additionally links to https://bugzilla.xamarin.com/43/43040/bug.html - which suggests to me that Xamarin is already aware of the issue & filing another issue would just end up as a duplicate.

Please correct me if I'm wrong & I happily file a new issue over at xamarin-android right away! 😎

[Eagle3386]

@AndreduToit

* On Android Emulator (Android 11.0 - API 30) - clicking the button throws exception Hostname 10.0.2.2 not verified.

Any guidance, tips or assistance that you, jfversluis or anyone else can provide would be highly appreciated (tried a lot of things but could not get a result - as you can imagine, it is frustrating).

I'd like to suggest that you add Kestrel's dev cert & create/modify Android\Resources\xml\network_security_config.xml just like I already pointed out above.

You can get Android\Resources\raw\kestrel.cer by going to your Windows' cert store (Win+R -> certmgr.msc -> Enter -> Certificates - Current User -> Personal -> Certificates -> right pane, select the localhost cert whose Display Name states ASP.NET Core HTTPS development certificate) & export it (right click -> All tasks -> Export…) straight into the aforementioned path.

HTH! 😎

[AndreduToit]

@Eagle3386
Thank you so much for your quick response and huge assistance. I totally misunderstood what you already pointed out above - but I get it now - my bad.

I did the following:

• ADD - Android\Resources\raw\kestrel.cer & Android\Resources\xml\network_security_config.xml - as per your guidance
• ADD line - android:networkSecurityConfig ="@xml/network_security_config" - under tags 'manifest/application' in AndroidManifest.xml

I am very sure that you put me on the right track --- but unfortunately, I am still getting exception Hostname 10.0.2.2 not verified.
I tried:

• using 'kestrel.cer' exported from both 'Personal' and 'Trusted Root Certificate Authorities' in both DER encoded and Base-64 encoded formats.
• cleaning and regenerating certificates with command line: 'dotnet dev-certs https --clean' and 'dotnet dev-certs https --trust'

I am sure there is just some small procedure or trick that I am still missing.... do you have any tips?

[Eagle3386]

@AndreduToit Nah, don't mention it - I'm just glad I was of help to you (at least some, because @davidbritch clarified over at dotnet/docs-maui/issues/600 that my mentioned network_security_config.xml approach is only required for HTTP & HTTPS requires his helper class)! 😎

@Eilon Over at the linked MAUI docs issue, the custom handler code also supports iOS, e. g.:

(...)
#elif IOS
  return new NSUrlSessionHandler
  {
    TrustOverrideForUrl = (sender, url, trust) => url.StartsWith("https://localhost")
  };
#elif WINDOWS || MACCATALYST
(...)

Maybe you want to add it to your helper, too? 🤔

[piercarlo62]

Hello Eilon,

Premises:
MAUI Project
.Net6.0 Api Server with Grpc services enabled.

The problem is that with grpc services DevHttpsHelper it is not working.

Some suggestion how setup it ?

Thank You

[Eilon]

Hmm sorry I'm not sure what that error is. It seems different from the various certificate issues, which is what this guide was aimed at. Maybe there's some other limitation with gRPC and Android when using .NET? Tagging @JamesNK in case maybe he knows something about any such limitation.

[JamesNK]

As far as I know, .NET on Android doesn't support ignoring invalid certificates. That was true in .NET 6 and I don't think it's changed for .NET 7.

I don't know DevHttpsConnectionHelper does though. Should it be used here:

var httpHandler = new GrpcWebHandler(GrpcWebMode.GrpcWeb, new HttpClientHandler());

[Eilon]

@JamesNK it does support some certificate behavior, which is what the DevHttpsConnectionHelper type I wrote for Android does. It ignores the self-signed cert "error" when connecting to the host PC's address.

Perhaps the issue here is that we need to correctly chain the handlers, which the helper here doesn't yet do. Probably just a few lines of code to have the "ignore SSL stuff" Android handler chain to the gRPC handler and maybe that's all it needs?

I'm not sure I have time to test that any time soon, but whoever is affected by this can hopefully test it out and report back. Else, if folks can wait, I'd be happy to try it out myself, but that's a few weeks out at least.

[JamesNK]

DevHttpsConnectionHelper isn't being used with gRPC.

Change this:

var httpHandler = new GrpcWebHandler(GrpcWebMode.GrpcWeb, new HttpClientHandler());

To this:

var devSslHelper = new DevHttpsConnectionHelper(sslPort: 7192);
var inner = devSslHelper.GetPlatformMessageHandler();
var httpHandler = new GrpcWebHandler(GrpcWebMode.GrpcWeb, inner);

[piercarlo62]

_ made following changes as per your suggestions,
builder.Services.AddSingleton(services => { var devSslHelper = new DevHttpsConnectionHelper(sslPort: 7192); var inner = devSslHelper.GetPlatformMessageHandler(); var httpHandler = inner is null? new GrpcWebHandler(GrpcWebMode.GrpcWeb, new HttpClientHandler()) : new GrpcWebHandler(GrpcWebMode.GrpcWeb, inner); return GrpcChannel.ForAddress(url, new GrpcChannelOptions { HttpHandler = httpHandler, MaxSendMessageSize = null, MaxReceiveMessageSize = null }); }); _

So in windows works, but in Android the same error reported before.

To answering to Eilon, would be good if you could try by yourself, if you could share a private address I could send to you the link where to download the entire project to test directly on it.

Bye

Piercarlo

[sbwalker]

I would be fine with developing on HTTP locally, as it works well (once you deal with the IIS Express binding issues). However the problem is that in a real world application you often have remote resources such as images, CSS, or JavaScript which are referenced in the component markup (not all resources can realistically be bundled with an app and be served natively on the device). Currently the BlazorWebView starts up on https://0.0.0.0 which means that references to remote resources also need to use https:// or else you get Mixed Content error messages when it attempts to load the resources - which results in a broken experience. So basically in order for local HTTP development to be fully effective, there would need to be a way to startup the BlazorWebView on http:// rather than https:// - or there needs to be a switch for enabling MixedContent (I believe the Xamarin Forms WebView had such a switch).

oqtane/oqtane.framework#2367 (comment)

[Eagle3386]

Nobody should be "fine developing on HTTP" instead of HTTPS in any language, technology or system - ever again!

Besides, who wants to use IIS Express when there's Kestrel available?

[shadowfoxish]

Besides, who wants to use IIS Express when there's Kestrel available?

Why use kestrel when you can just use IIS, and then your dev system is essentially the same as your production servers? Also, you get a win with the devs knowing more about how to configure and work with IIS, which translates into production server management skills.

[sbwalker]

This issue better describes the issue I was referring to with BlazorWebView and resource URLs #10898

[smitha-cgi]

Hi @Eilon

Thanks very much for your documentation of this + your connection helper code - it has resolved almost all of my untrusted certificate issues. The only problem that I have left is around loading images - I have created an image object and have set the Source to https://someip/someimage.jpg and Glide won't load it due to the trust anchor issue (see below). Do you know if there some way to make Glide use a DevHttpsConnectionHelper to get around this problem?

Cheers

Andrew

[Glide] Load failed for https://someip/someimage.jpg with size [394x394]
[Glide] class com.bumptech.glide.load.engine.GlideException: Failed to load resource
[Glide] There was 1 root cause:
[Glide] com.bumptech.glide.load.HttpException(Failed to connect or obtain data, status code: -1)
[Glide]  call GlideException#logRootCauses(String) for more detail
[Glide]   Cause (1 of 2): class com.bumptech.glide.load.engine.GlideException: Fetching data failed, class java.io.InputStream, REMOTE
[Glide] There was 1 root cause:
[Glide] com.bumptech.glide.load.HttpException(Failed to connect or obtain data, status code: -1)
[Glide]  call GlideException#logRootCauses(String) for more detail
[Glide]     Cause (1 of 1): class com.bumptech.glide.load.HttpException: Failed to connect or obtain data, status code: -1
[Glide]   Cause (2 of 2): class com.bumptech.glide.load.engine.GlideException: Failed LoadPath{StringUri->Object->Drawable}, LOCAL
[Glide]     Cause (1 of 2): class com.bumptech.glide.load.engine.GlideException: Failed DecodePath{StringUri->Drawable->Drawable}
[Glide]     Cause (2 of 2): class com.bumptech.glide.load.engine.GlideException: Failed DecodePath{StringUri->Bitmap->BitmapDrawable}
[Glide] Root cause (1 of 1)
[Glide] com.bumptech.glide.load.HttpException: Failed to connect or obtain data, status code: -1
[Glide] 	at com.bumptech.glide.load.data.HttpUrlFetcher.loadDataWithRedirects(HttpUrlFetcher.java:98)
[Glide] 	at com.bumptech.glide.load.data.HttpUrlFetcher.loadData(HttpUrlFetcher.java:58)
[Glide] 	at com.bumptech.glide.load.engine.SourceGenerator.startNextLoad(SourceGenerator.java:95)
[Glide] 	at com.bumptech.glide.load.engine.SourceGenerator.startNext(SourceGenerator.java:88)
[Glide] 	at com.bumptech.glide.load.engine.DecodeJob.runGenerators(DecodeJob.java:311)
[Glide] 	at com.bumptech.glide.load.engine.DecodeJob.runWrapped(DecodeJob.java:280)
[Glide] 	at com.bumptech.glide.load.engine.DecodeJob.run(DecodeJob.java:235)
[Glide] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
[Glide] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
[Glide] 	at com.bumptech.glide.load.engine.executor.GlideExecutor$DefaultThreadFactory$1.run(GlideExecutor.java:413)
[Glide] 	at java.lang.Thread.run(Thread.java:1012)
[Glide] 	at com.bumptech.glide.load.engine.executor.GlideExecutor$DefaultPriorityThreadFactory$1.run(GlideExecutor.java:372)
[Glide] Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[Glide] 	at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
[Glide] 	at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
[Glide] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
[Glide] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
[Glide] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
[Glide] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
[Glide] 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
[Glide] 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
[Glide] 	at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
[Glide] 	at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
[Glide] 	at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
[Glide] 	at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
[Glide] 	at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
[Glide] 	at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
[Glide] 	at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
[Glide] 	at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
[Glide] 	at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
[Glide] 	at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
[Glide] 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
[Glide] 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:131)
[Glide] 	at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:90)
[Glide] 	at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:30)
[Glide] 	at com.bumptech.glide.load.data.HttpUrlFetcher.loadDataWithRedirects(HttpUrlFetcher.java:93)
[Glide] 	... 11 more

[abdu292]

@smitha-cgi Just was wondering if you got a solution for this. Thank you!

[smitha-cgi]

No, I never did. Had to fall back to using HTTP URLs to get images to work.

[abdu292]

@smitha-cgi Okay. Thanks for the response. I'm using the "dev tunnels" which is working great. The nice thing about "dev tunnels" is you can connect your local host to any external devices including your physical devices that are connected to the same network which I think is awesome!

[abdu292]

@Eilon Thanks a bunch for this tutorial. This is working great with the http client on the maui app. However it still throws an error on Android while loading the images using "Image" control. These images are accessible via local host & ipv4 address. Just was wondering if you have some kind of guidance to get this working.

Also see Andrew's ( @smitha-cgi ) post above. I'm getting exact same error message.

Thank again in advance!

[Weijee]

I am using WebView to show my webpage in my android app like this (the webpage is already published in my local server).

But I always got this error below, for now I don't know how to use the HTTPS connection helpers for a WebView. Anyone can give me some suggestion? Or is it a wrong way to use WebView?

[Weijee]

By the way, I am using NET6 now

[shadowfoxish]

Tricking SSL into being okay with an invalid cert feels to me like a bad option, even in development. Its too easy to accidentally forget its there, or the flag gets set wrong in config and goes out to production or something. Since my production server is only available via HTTPS and my dev one by HTTP, I just made the app "okay" with HTTP traffic. UsesCleartextTraffic allows for insecure HTTP requests to work.

	//Uses clear traffic is required for HTTP development traffic
	[Application(UsesCleartextTraffic = true)]
	public class MainApplication : MauiApplication
	{

[Eilon]

Tricking SSL into being okay with an invalid cert feels to me like a bad option, even in development. Its too easy to accidentally forget its there, or the flag gets set wrong in config and goes out to production or something. Since my production server is only available via HTTPS and my dev one by HTTP, I just made the app "okay" with HTTP traffic. UsesCleartextTraffic allows for insecure HTTP requests to work.

	//Uses clear traffic is required for HTTP development traffic
	[Application(UsesCleartextTraffic = true)]
	public class MainApplication : MauiApplication
	{

You could wrap this in an #if DEBUG to ensure it doesn't make its way to production:

	//Uses clear traffic is required for HTTP development traffic
#if DEBUG
	[Application(UsesCleartextTraffic = true)]
#endif
	public class MainApplication : MauiApplication
	{

Though, this means that you wouldn't be able to test your "release" build against your dev server. But that would mitigate the risk of dev code making its way to production.

[shadowfoxish]

This is a great idea.
I do have a QA server, which connects to the same dev database, but it hosts the API on SSL. I built into the app a way to switch its connection between production, test (qa), and dev. I very much believe in not creating separate builds for testing and production.

[Ghostbird]

I recently ran into an odd issue.

In my app I used a network_security_config.xml to enable user-added CAs on Android to communicate with my local API over TLS.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
    <trust-anchors>
      <certificates src="system" />
      <certificates src="user" />
    </trust-anchors>
  </base-config>
</network-security-config>

I went to release the app and during the Android app review process, I was asked to wrap the trust-anchors tag in debug-overrides conform the Android Network security configuration.

So I did, and the app release went through.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
    <debug-overrides>
      <trust-anchors>
        <certificates src="system" />
        <certificates src="user" />
      </trust-anchors>
    </debug-overrides>
  </base-config>
</network-security-config>

However, when I try to debug the app now, I always get this error: Trust anchor for certification path not found. which is the error I get when <certificates src="user" /> is not present in the network_security_config.xml.

Is there something wrong in the MAUI build process that causes it to not activate the functionality of Android's debug-overrides tag?

[sendtodilip]

This is extermely helpful for me. I have been trying to fix the below issue in MAUI app and nothing helped me.

unexpected end of stream on com.android.okhttp.Address@6585e38b' in android emulator 34 and .net maui

Strangly the below code works for me one solutio but not in the other solution

#if DEBUG
    [Application(UsesCleartextTraffic = true)]
#else
 [Application]
#endif

Thanks you @Eilon

[sendtodilip]

I am still looking for exact solution for this:
unexpected end of stream on com.android.okhttp.Address@6585e38b' in android emulator 34 and .net maui

[Marini88]

Same, did you guys fix it?

[yurkinh]

Here is an updated version for all 4 platforms: ios, android, win, mac

https://gist.github.com/yurkinh/e14a3ea8724e186df5dc7b4b37bb6511

[Eagle3386]

That code doesn't really improve, because you:

• chose to add a whole new if-branch although all platforms except Android do use localhost, hence you could've simply appended IOS || MACCATALYST to the line #if WINDOWS instead
• changed the naming style of member LazyHttpClient to start with an underscore for no reason
• even edited the irrelevant Android branch for CustomAndroidMessageHandler by removal of its usage of the object initialization pattern for no reason, but used exactly that pattern for your addition of the iOS/MacCatalyst branch
• chose to add IsHttpsLocalhost whose method body not only could be written as a simple ternary operator statement upon assignment of TrustOverrideForUrl
• chose to add another dependency, System.Net, because of your arbitrary decision of assigning AutomaticDecompression for the iOS/MacCatalyst branch while the whole helper is meant to be as concise as possible, leaving it to consuming developers if they want to add further tweaks or not

Hence: the only benefit of your code can be simplified to this:

For iOS/MacCatalyst support, please add what was criticized just now & drop everything else from that linked gist

[vpkopylov]

I tried to run a maui app that uses azure mobile apps in an emulator with its backend on a local machine and faced the same issue. This library doesn't allow plain http connections and I couldn't find a way to use connection helpers with it. What worked for me is creating a self-signed cert and configuring the android app and kestrel to use it.
When generating a cert I used IP.1:10.0.2.2 as subjectAltName.
On a server side I added and endpoint with the custom cert to appsettings.Development.json

UPD: DatasyncClient class constructor from azure mobile apps allows to pass options object with custom message handlers set in HttpPipeline prop, adding a handler with logic to bypass a dev cert also works.