finds.dev← search

// the find

commonsguy/cwac-netsecurity

★ 239 · Java · Apache-2.0 · updated Oct 2019

CWAC-NetSecurity: Simplifying Secure Internet Access

A backport of Android's Network Security Configuration XML format to pre-API-24 devices, plus OkHttp integration for certificate pinning and trust manager composition. Discontinued in 2019 — the README says so upfront and points you elsewhere.

- The author is honest about discontinuation immediately in the README, with concrete alternatives listed — no zombie project pretending to be alive

- The test suite is genuinely thorough: separate test classes for HURL and OkHttp3, covering self-signed certs, debug/release build variants, pin expiry, cleartext blocking, and redirect handling

- TrustManagerBuilder offers a composable API for combining trust managers (deny-all, system, custom CAs) that was genuinely useful before Android 7 made NSC a platform feature

- Dead since 2019 — last push was 7 years ago, no releases, and the problem it solved is now handled natively by Android 7+ (API 24) which has near-universal adoption today

- OkHttp's built-in CertificatePinner is the right tool for pinning now; this library's OkHttp integration adds a dependency for something you get for free

- The memorization/TOFU (trust-on-first-use) feature has no documented threat model — storing certs on first connection is only useful against a narrow class of attacks and the docs don't explain when you'd actually want it over pinning

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →