To customize their network security settings in a safe, declarative configuration file without modifying app code, applications can use the Network Security Configuration that Android provides for versions 7.0 and above.

• OWASP : Network Security Configuration
• Android : Network Security Configuration

The Network Security Configuration can also be used to pin declarative certificates to specific domains. If an application uses this feature, two things should be checked to identify the defined configuration:

First, find the Network Security Configuration file in the Android application manifest via the android:networkSecurityConfig attribute on the application tag.

Using a decompiler (e.g. jadx or apktool) we will be able to confirm if the entry is present in the network_security_config.xml file located in the /res/xml/ folder.

Your task is to intercept HTTPS traffic and get the flag. you can verify your flag at http://ctf.hpandro.raviramesh.info