I'm writing an Android library which is a REST API client to an HTTPS endpoint. This library will be used by apps to abstract access to the REST service.
I'd like to use certificate pinning and cleartext opt-out to keep my traffic secure, but I don't want to stop the consuming app from talking to other services or managing its own security configuration. I'd like to make sure that even if the app is set up wrong and communicates insecurely with other services, all the traffic coming from my library will always be secure. (To be clear: I'm not so much worried about a malicious app trying to read my network traffic. I'm just worried about a badly written app breaking my security policy and accepting bad HTTPS connections, exposing user data from my web service.)
The library is delivered as an AAR. If it makes a difference, I'm using OkHttp3 as my HTTP client. One extra complexity: I need minSdkVersion 21, so to use Network Security Config, I'd have to use CommonsWare's backport anyway.
What's the easiest way for me to set up a network security policy for my library that can't be broken by the app and doesn't affect the app's other traffic?
