After spinning up Android 9, 10 and 11 instances with SDK versions 28, 29 and 30 in Android Studio , and checking the result of Chrome in those same versions of Android, we’re fairly confident this is an instance of a TLS misconfiguration per the ticket cited above.
To confirm this we see Failed to validate the certificate chain in the log files of the APK:
X509Util org...webapp.mobile.moh_kenya_echis I Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
9082-9151 chromium org...webapp.mobile.moh_kenya_echis E [ERROR:ssl_client_socket_impl.cc(946)] handshake failed; returned -1, SSL error code 1, net_error -202
Further confirmation is from running Chrome on the same Android device which shows:
NET::ERR_CERT_AUTHORITY_INVALID
This server could not prove that it is nairobi-echis.health.go.ke; its security certificate is not trusted by your device's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
Finally, using sslchecker.com and having it scan nairobi-echis.health.go.ke, shows a number of chain certificates missing.
As this is an emSign cert, to fix this:
- Download the certificate
- Upload the cert to the nginx server
- configure nginx to use the cert
Best of luck and post back any further questions!