Client Mobile Android - Default do-not-decrypt Android traffic for versions Nougat and above

  • 19 April 2023
  • 5 replies

Userlevel 4
Badge +11

Hello community, how are you doing.


I am running a test from my Netskope client, Mobile Android version.


When I check the event logs of Page events, the following appears and I don't have any policy that generates bypass at SSL decrypt level or Real time rule.

I'm testing and I don't see it blocking the sites that it does block in a rule with the client on a workstation, but from the Netskope Mobile Client on Android the following appears:


Bypass Reason:
SSL Do Not Decrypt Bypass Policy Matched
Bypass Traffic:
Src Time:
Tue Apr 18 20:22:00 2023
Ssl Decrypt Policy:
User Generated:
Policy Name:
Default do-not-decrypt Android traffic for versions Nougat and above


Are there any restrictions on client installation and use of Mobile Android ? Is there any extra step to do when installing the client on the mobile Android from the invitation ?


The Android version I am using in the test is "11". According to the Netskope site it is supported.



-9 (Pistachio Ice Cream), 10 (Quince Tart), (11 (Red Velvet Cake), 12 (Snow Cone), 13 (Tiramisu)


Thank you for your time and cooperation


Best regards



Best answer by sshiflett 8 May 2023, 15:50

View original

5 replies

Userlevel 4
Badge +11

@rclavero @mzhang

@sshiflett @amurugesan @mkoyfman 


Hello everyone, good afternoon, excuse me for referencing you but please can you support me with the post please.


I remain attentive to your kind comments

Thank you

Best regards

Badge +10

Hi MetgatzNK,

most of the android users are accessing the content using the native android apps. Most of them are cert pinned app applications. Popular domains are consumed from those apps but also from  browsers, so instead of asking the admins to create DnD (Don't decrypt) rules just for cert pinned apps, it's simpler to leverage a general exception for that access method. 

This is the reason you are seeing android client sourced traffic matching a generic DND policy.



Userlevel 4
Badge +11

Hello @rclavero , thank you for your reply.

Yes, I understand what I commented, but at this point, the log that I commented above, this log was not based on any particular application, but simply all queries to websites, through the Android web browser, ie Firefox, Chrome, Brave, native web browser.


Moreover, this rule does not appear in the list of SSL default rules, but if Netskope is applying it, it is a base rule but it does not exist, it was not declared and was not created by us and it applies to websites, not SaaS applications, but to any site of the traditional type to all.


Thank you, I remain attentive

Best regards

Badge +10


as I mentioned before this is something we have configured for you. There's no way to identify if the traffic is being sourced from the native app or the browser. So the traffic needs to be don't decrypted. The policy isn't visible for you because it's applied on the backend. 


Roberto Clavero


Userlevel 6
Badge +16

@MetgatzNK just to add some more context to this.  The default do not decrypt for Android exists as the operating system has restrictions on importing root certificates.  In general you must add a certificate to each app for it to trust a certificate for SSL inspection.  The do not decrypt activates when Android traffic is sent to Netskope on a device where we don't detect the Netskope certificates imported.  You can import the Netskope certificate to an Android device and then we can intercept and inspect traffic from the browser.  Other apps may require additional configuration or will need to be bypassed from SSL inspection via a certificate pinned bypass in the Steering Configuration.  In short, it is possible to inspect traffic from Android devices but requires additional configuration.    I'd suggest reaching out to your local Netskope account team or potentially professional services if this is an enterprise deployment.  Hope this helps and apologies for the delay!