Android & iOS Certificate Pinning

[benjamin-luescher]

Android and iOS have a very simple setup for certificate pinning as described here:

• https://developer.android.com/privacy-and-security/security-config#CertificatePinning
• https://developer.apple.com/news/?id=g9ejcf8y

I would like to use this setup to only enable certificate pinning for certain domains. See network_security_config.xml below:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config cleartextTrafficPermitted="false"/>
  <domain-config>
    <domain includeSubdomains="true">mydomain.com</domain>
    <pin-set expiration="2024-04-27">
      <!-- my certificate hash -->
      <pin digest="SHA-256">................</pin>
      <!-- my certificate backup hash -->
      <pin digest="SHA-256">................</pin>
    </pin-set>
  </domain-config>
</network-security-config>

With this setup I do only want to have a certificate pinning for "mydomain.com".
In your setup I found a certificate pinning which requires all certificates of every domain that is called from the app. A setup like above doesn't work, right?
In a first step I also tried to have this XML additionally to this plugin - but it seems like this plugin overrides my XML and doesn't care about my settings.

Any help? Thanks a lot!