Does this mean that users will no longer be able to MITM most apps on their own phone by installing a custom cert and proxying all requests through another machine?
User-added CAs
Protection of all application data is a key goal of the Android application sandbox. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. This safe-by-default setting reduces application attack surface and encourages consistent handling of network and file-based application data.
Yep. Now to MitM an app you will have to decompile it, tweak its network security config¹ to allow user CAs, recompile, and reinstall via adb. But if you need to MitM because you are reverse engineering, none of these steps are problematic since you are already doing most of them anyway.
User-added CAs
Protection of all application data is a key goal of the Android application sandbox. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. This safe-by-default setting reduces application attack surface and encourages consistent handling of network and file-based application data.