Corporate Proxy Integration in Mobile Applications
Corporate mobile applications often operate in environments with mandatory HTTPS proxies — Zscaler, BlueCoat, Cisco Umbrella, squid. Users connect via MDM profile (Mobile Device Management) which sets system proxy settings. Application must read and use these settings, not ignore them — otherwise traffic gets blocked or bypasses corporate security policy.
How Mobile OS Passes Proxy Settings
Android: system proxy settings available via ConnectivityManager and LinkProperties. For HTTP/HTTPS — ProxyInfo with host and port fields. For PAC (Proxy Auto-Config) — script URL. OkHttp reads system proxy automatically when using OkHttpClient.Builder() without explicit proxy() — if not overridden, it uses ProxySelector.getDefault().
Problem: ProxySelector works for HTTP/HTTPS, but not WebSocket (ws://, wss://). OkHttp during HTTP upgrade to WebSocket uses proxy (CONNECT tunnel), but Proxy-Authorization must be passed separately via Authenticator.
iOS: URLSessionConfiguration.default automatically picks up system proxy from settings. But URLSession with custom URLSessionConfiguration or ephemeral configuration — doesn't. For explicit control: CFNetworkCopySystemProxySettings() (Core Foundation) or NEProxySettings via Network Extension API.
NTLM and Kerberos: Corporate Proxy Authentication
Most painful scenario — proxy requires NTLM or Kerberos authentication (Integrated Windows Authentication). Standard HTTP libraries on iOS and Android don't support NTLM out of the box.
On Android: OkHttp + ntlm-authentication library or custom Authenticator with NTLM handshake implementation. NTLM is three-step protocol: NEGOTIATE → CHALLENGE → AUTHENTICATE. Response to challenge computed from NT-password hashes, username and domain. Store credentials in AccountManager — not SharedPreferences.
On iOS: URLSession supports NTLM via URLAuthenticationChallenge with NSURLAuthenticationMethodNTLM. Implement URLSessionTaskDelegate and return URLCredential with username/password. Domain optional but some corporate proxies don't accept without it.
Kerberos (Negotiate) on mobile — rare but found in large enterprises with MS AD. On iOS: GSS-API (available via Heimdal). On Android — practically no good solution without NDK and MIT Kerberos.
SSL Inspection: Proxy Certificate Substitution
Corporate HTTPS proxy often acts as Man-in-the-Middle — decrypts TLS traffic, inspects, re-encrypts with own certificate. Device must trust corporate CA.
On MDM devices, corporate CA installs automatically via profile. For applications implementing Certificate Pinning — SSL inspection breaks it. Either disable pinning for internal endpoints, or pin to MDM certificate level (verify not leaf server certificate but chain to trusted corporate CA).
On Android 7+ user CA certificates not trusted by apps by default. For corporate applications trusting MDM-installed CA: network_security_config.xml with <certificates src="system"/> and explicit <certificates src="user"/> for development, only system for production MDM.
PAC Files: When Proxy Isn't One
Proxy Auto-Config (PAC) — JavaScript function FindProxyForURL(url, host) returning proxy or DIRECT for each URL. Corporate networks use PAC for routing: internal resources — direct, internet — via proxy.
On iOS: PAC handled by system, URLSession uses result transparently. On Android: ProxyInfo.buildPacProxy(Uri) — MDM installs it, but programmatic PAC processing in application non-trivial. For custom HTTP clients (OkHttp) need to parse and execute PAC yourself — library pac4j-proxy or JavaScript via JavaScriptEngine.
Integration Process
Start with audit: which proxy does client use, MDM solution (Intune, Jamf, MobileIron), authentication method, need for SSL-inspection bypass. This determines scope.
Basic integration (HTTP/HTTPS proxy without auth) — 1 week. NTLM + PAC + SSL inspection bypass — 3–5 weeks including testing in corporate environment.