// the find
commonsguy/cwac-netsecurity
CWAC-NetSecurity: Simplifying Secure Internet Access
A backport of Android's Network Security Configuration XML format to pre-API-24 devices, plus OkHttp integration for certificate pinning and trust manager composition. Discontinued in 2019 — the README says so upfront and points you elsewhere.
- The author is honest about discontinuation immediately in the README, with concrete alternatives listed — no zombie project pretending to be alive
- The test suite is genuinely thorough: separate test classes for HURL and OkHttp3, covering self-signed certs, debug/release build variants, pin expiry, cleartext blocking, and redirect handling
- TrustManagerBuilder offers a composable API for combining trust managers (deny-all, system, custom CAs) that was genuinely useful before Android 7 made NSC a platform feature
- Dead since 2019 — last push was 7 years ago, no releases, and the problem it solved is now handled natively by Android 7+ (API 24) which has near-universal adoption today
- OkHttp's built-in CertificatePinner is the right tool for pinning now; this library's OkHttp integration adds a dependency for something you get for free
- The memorization/TOFU (trust-on-first-use) feature has no documented threat model — storing certs on first connection is only useful against a narrow class of attacks and the docs don't explain when you'd actually want it over pinning