Flutter HTTPS calls fail on older Android, only works if I bypass SSL certificate check

[akhil-ge0rge]

I'm building a Flutter app and HTTPS API calls fail only on older Android phones(Android 7 and below).
On modern devices everything works.
If I bypass certificate validation like this:

class MyHttpOverrides extends HttpOverrides {
  @override
  HttpClient createHttpClient(SecurityContext? context) {
    return super.createHttpClient(context)
      ..badCertificateCallback =
          (X509Certificate cert, String host, int port) => true;
  }
}

void main() {
  HttpOverrides.global = MyHttpOverrides();
  runApp(const MyApp());
}

With this override enabled, API requests work even on old devices.

Why do old Android devices reject the HTTPS request?

Is the issue caused by:

• backend certificate configuration
• dio
• or something with Flutter?

What is the correct fix?

[AlexV525]

IIRC, if you are running on versions older than Android 8, there are some new root certificates missing from those old systems. One thing you can try is injecting those certs by overriding the configuration HttpOverrides.

The override sample I've wrote before: https://gist.github.com/AlexV525/352a8199716d2fa830a9ee5d8ab3aafe

[akhil-ge0rge]

Thank you, @AlexV525 .

Does this introduce any security concerns?

[AlexV525]

It should be fine if you only import those root certificates, also you may need to check if there are any certs have been deprecated or updated. Better ask for advices from LLMs. :)