I am building an app in Expo / React native which, during development, calls a local webservice that uses a self-signed SSL certificate. I managed to add the certificate in my emulator as a user certificate; however, these are not trusted by Android apps by default (when I run the web request using the Axios library inside the app, I get a network error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.)

In Expo, I can "eject" the project, giving me access to the Android project folder and configuration (but then I lose many of the advantages of the Expo workflow, hence I want to avoid ejecting). After ejecting, I can modify AndroidManifest.xml directly and add new resource files. Following this guide I added <application android:networkSecurityConfig="@xml/network_security_config"... > and res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

After rebuilding, I can connect. The problem I have with this approach is that I have to create the XML resource. To avoid ejecting, Expo offers config plugins, which are basically JS functions which modify the manifest before building the native project. I want to avoid creating the resource file from JS, because it adds a dependency on the Anroid folder structure; it would be great if all I had to touch was the manifest.

I read that it is possible to inline resources using AAPT attributes. I tried adding the aapt NS in the manifest root: <manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:aapt="http://schemas.android.com/aapt" ...> and inlining as follows:

<application android:name=".MainApplication" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:roundIcon="@mipmap/ic_launcher_round" android:allowBackup="true" android:theme="@style/AppTheme" android:usesCleartextTraffic="true">
    <aapt:attr name="android:networkSecurityConfig">
      <network-security-config>
        <base-config cleartextTrafficPermitted="true">
          <trust-anchors>
            <certificates src="system"/>
            <certificates src="user"/>
          </trust-anchors>
        </base-config>
      </network-security-config>
    </aapt:attr>
    <!-- ... -->

The project builds, but it seems like the inlined policy is ignored. Can anyone spot what I'm doing wrong? Is inlining network security configurations even possible?