removed print statement

trust user-installed certs
remove unused dependency
2026-02-02 02:04:47 -08:00 · 2026-02-02 02:27:14 -05:00 · 2026-02-02 02:24:03 -05:00 · 2026-02-02 02:07:06 -05:00 · 2026-02-02 02:00:32 -05:00 · 2026-02-02 01:53:37 -05:00
31 changed files with 1415 additions and 585 deletions
--- a/docs/docs/administration/postgres-standalone.md
+++ b/docs/docs/administration/postgres-standalone.md
@@ -88,7 +88,7 @@ The easiest option is to have both extensions installed during the migration:
 <details>
 <summary>Migration steps (automatic)</summary>
 1. Ensure you still have pgvecto.rs installed
-2. Install `pgvector` (`>= 0.7.0, < 1.0.0`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
+2. Install `pgvector` (`>= 0.7, < 0.9`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
 3. [Install VectorChord][vchord-install]
 4. Add `shared_preload_libraries= 'vchord.so, vectors.so'` to your `postgresql.conf`, making sure to include _both_ `vchord.so` and `vectors.so`. You may include other libraries here as well if needed
 5. Restart the Postgres database
--- a/mobile/android/app/src/main/AndroidManifest.xml
+++ b/mobile/android/app/src/main/AndroidManifest.xml
@@ -27,7 +27,8 @@

  <application android:label="Immich" android:name=".ImmichApp" android:usesCleartextTraffic="true"
    android:icon="@mipmap/ic_launcher" android:requestLegacyExternalStorage="true"
-    android:largeHeap="true" android:enableOnBackInvokedCallback="false" android:allowBackup="false">
+    android:largeHeap="true" android:enableOnBackInvokedCallback="false" android:allowBackup="false"
+    android:networkSecurityConfig="@xml/network_security_config">

    <profileable android:shell="true" />

--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt
@@ -1,153 +0,0 @@
-package app.alextran.immich
-
-import android.annotation.SuppressLint
-import android.content.Context
-import app.alextran.immich.core.SSLConfig
-import io.flutter.embedding.engine.plugins.FlutterPlugin
-import io.flutter.plugin.common.BinaryMessenger
-import io.flutter.plugin.common.MethodCall
-import io.flutter.plugin.common.MethodChannel
-import java.io.ByteArrayInputStream
-import java.net.InetSocketAddress
-import java.net.Socket
-import java.security.KeyStore
-import java.security.cert.X509Certificate
-import javax.net.ssl.HostnameVerifier
-import javax.net.ssl.HttpsURLConnection
-import javax.net.ssl.KeyManager
-import javax.net.ssl.KeyManagerFactory
-import javax.net.ssl.SSLContext
-import javax.net.ssl.SSLEngine
-import javax.net.ssl.SSLSession
-import javax.net.ssl.TrustManager
-import javax.net.ssl.TrustManagerFactory
-import javax.net.ssl.X509ExtendedTrustManager
-
-/**
- * Android plugin for Dart `HttpSSLOptions`
- */
-class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
-  private var methodChannel: MethodChannel? = null
-
-  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    onAttachedToEngine(binding.applicationContext, binding.binaryMessenger)
-  }
-
-  private fun onAttachedToEngine(ctx: Context, messenger: BinaryMessenger) {
-    methodChannel = MethodChannel(messenger, "immich/httpSSLOptions")
-    methodChannel?.setMethodCallHandler(this)
-  }
-
-  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    onDetachedFromEngine()
-  }
-
-  private fun onDetachedFromEngine() {
-    methodChannel?.setMethodCallHandler(null)
-    methodChannel = null
-  }
-
-  override fun onMethodCall(call: MethodCall, result: MethodChannel.Result) {
-    try {
-      when (call.method) {
-        "apply" -> {
-          val args = call.arguments<ArrayList<*>>()!!
-          val allowSelfSigned = args[0] as Boolean
-          val serverHost = args[1] as? String
-          val clientCertHash = (args[2] as? ByteArray)
-
-          var tm: Array<TrustManager>? = null
-          if (allowSelfSigned) {
-            tm = arrayOf(AllowSelfSignedTrustManager(serverHost))
-          }
-
-          var km: Array<KeyManager>? = null
-          if (clientCertHash != null) {
-            val cert = ByteArrayInputStream(clientCertHash)
-            val password = (args[3] as String).toCharArray()
-            val keyStore = KeyStore.getInstance("PKCS12")
-            keyStore.load(cert, password)
-            val keyManagerFactory =
-              KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
-            keyManagerFactory.init(keyStore, null)
-            km = keyManagerFactory.keyManagers
-          }
-
-          // Update shared SSL config for OkHttp and other HTTP clients
-          SSLConfig.apply(km, tm, allowSelfSigned, serverHost, clientCertHash?.contentHashCode() ?: 0)
-
-          val sslContext = SSLContext.getInstance("TLS")
-          sslContext.init(km, tm, null)
-          HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)
-
-          HttpsURLConnection.setDefaultHostnameVerifier(AllowSelfSignedHostnameVerifier(args[1] as? String))
-
-          result.success(true)
-        }
-
-        else -> result.notImplemented()
-      }
-    } catch (e: Throwable) {
-      result.error("error", e.message, null)
-    }
-  }
-
-  @SuppressLint("CustomX509TrustManager")
-  class AllowSelfSignedTrustManager(private val serverHost: String?) : X509ExtendedTrustManager() {
-    private val defaultTrustManager: X509ExtendedTrustManager = getDefaultTrustManager()
-
-    override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?) =
-      defaultTrustManager.checkClientTrusted(chain, authType)
-
-    override fun checkClientTrusted(
-      chain: Array<out X509Certificate>?, authType: String?, socket: Socket?
-    ) = defaultTrustManager.checkClientTrusted(chain, authType, socket)
-
-    override fun checkClientTrusted(
-      chain: Array<out X509Certificate>?, authType: String?, engine: SSLEngine?
-    ) = defaultTrustManager.checkClientTrusted(chain, authType, engine)
-
-    override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {
-      if (serverHost == null) return
-      defaultTrustManager.checkServerTrusted(chain, authType)
-    }
-
-    override fun checkServerTrusted(
-      chain: Array<out X509Certificate>?, authType: String?, socket: Socket?
-    ) {
-      if (serverHost == null) return
-      val socketAddress = socket?.remoteSocketAddress
-      if (socketAddress is InetSocketAddress && socketAddress.hostName == serverHost) return
-      defaultTrustManager.checkServerTrusted(chain, authType, socket)
-    }
-
-    override fun checkServerTrusted(
-      chain: Array<out X509Certificate>?, authType: String?, engine: SSLEngine?
-    ) {
-      if (serverHost == null || engine?.peerHost == serverHost) return
-      defaultTrustManager.checkServerTrusted(chain, authType, engine)
-    }
-
-    override fun getAcceptedIssuers(): Array<X509Certificate> = defaultTrustManager.acceptedIssuers
-
-    private fun getDefaultTrustManager(): X509ExtendedTrustManager {
-      val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-      factory.init(null as KeyStore?)
-      return factory.trustManagers.filterIsInstance<X509ExtendedTrustManager>().first()
-    }
-  }
-
-  class AllowSelfSignedHostnameVerifier(private val serverHost: String?) : HostnameVerifier {
-    companion object {
-      private val _defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier()
-    }
-
-    override fun verify(hostname: String?, session: SSLSession?): Boolean {
-      if (serverHost == null || hostname == serverHost) {
-        return true
-      } else {
-        return _defaultHostnameVerifier.verify(hostname, session)
-      }
-    }
-  }
-}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt
@@ -9,7 +9,9 @@ import app.alextran.immich.background.BackgroundWorkerFgHostApi
 import app.alextran.immich.background.BackgroundWorkerLockApi
 import app.alextran.immich.connectivity.ConnectivityApi
 import app.alextran.immich.connectivity.ConnectivityApiImpl
+import app.alextran.immich.core.HttpClientManager
 import app.alextran.immich.core.ImmichPlugin
+import app.alextran.immich.core.NetworkApiPlugin
 import app.alextran.immich.images.LocalImageApi
 import app.alextran.immich.images.LocalImagesImpl
 import app.alextran.immich.images.RemoteImageApi
@@ -28,6 +30,9 @@ class MainActivity : FlutterFragmentActivity() {

  companion object {
    fun registerPlugins(ctx: Context, flutterEngine: FlutterEngine) {
+      HttpClientManager.initialize(ctx)
+      flutterEngine.plugins.add(NetworkApiPlugin())
+
      val messenger = flutterEngine.dartExecutor.binaryMessenger
      val backgroundEngineLockImpl = BackgroundEngineLock(ctx)
      BackgroundWorkerLockApi.setUp(messenger, backgroundEngineLockImpl)
@@ -45,7 +50,6 @@ class MainActivity : FlutterFragmentActivity() {
      ConnectivityApi.setUp(messenger, ConnectivityApiImpl(ctx))

      flutterEngine.plugins.add(BackgroundServicePlugin())
-      flutterEngine.plugins.add(HttpSSLOptionsPlugin())
      flutterEngine.plugins.add(backgroundEngineLockImpl)
      flutterEngine.plugins.add(nativeSyncApiImpl)
    }
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/HttpClientManager.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/HttpClientManager.kt
@@ -0,0 +1,138 @@
+package app.alextran.immich.core
+
+import android.content.Context
+import app.alextran.immich.BuildConfig
+import okhttp3.Cache
+import okhttp3.ConnectionPool
+import okhttp3.Dispatcher
+import okhttp3.OkHttpClient
+import java.io.ByteArrayInputStream
+import java.io.File
+import java.net.Socket
+import java.security.KeyStore
+import java.security.Principal
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import java.util.concurrent.TimeUnit
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509KeyManager
+import javax.net.ssl.X509TrustManager
+
+const val CERT_ALIAS = "client_cert"
+const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
+
+/**
+ * Manages a shared OkHttpClient with SSL configuration support.
+ * The client is shared across all Dart isolates and native code.
+ */
+object HttpClientManager {
+  private const val CACHE_SIZE_BYTES = 100L * 1024 * 1024  // 100MiB
+  private const val KEEP_ALIVE_CONNECTIONS = 10
+  private const val KEEP_ALIVE_DURATION_MINUTES = 5L
+  private const val MAX_REQUESTS_PER_HOST = 64
+
+  private var initialized = false
+  private val clientChangedListeners = mutableListOf<() -> Unit>()
+
+  private lateinit var client: OkHttpClient
+
+  private val keyStore =  KeyStore.getInstance("AndroidKeyStore").apply { load(null) }
+
+  val isMtls: Boolean get() = keyStore.containsAlias(CERT_ALIAS)
+
+  fun initialize(context: Context) {
+    if (initialized) return
+    synchronized(this) {
+      if (initialized) return
+
+      val cacheDir = File(File(context.cacheDir, "okhttp"), "api")
+      client = build(cacheDir)
+      initialized = true
+    }
+  }
+
+  fun setKeyEntry(clientData: ByteArray, password: CharArray) {
+    synchronized(this) {
+      val wasMtls = isMtls
+      val tmpKeyStore = KeyStore.getInstance("PKCS12").apply {
+        ByteArrayInputStream(clientData).use { stream -> load(stream, password) }
+      }
+      val tmpAlias = tmpKeyStore.aliases().asSequence().firstOrNull { tmpKeyStore.isKeyEntry(it) }
+        ?: throw IllegalArgumentException("No private key found in PKCS12")
+      val key = tmpKeyStore.getKey(tmpAlias, password)
+      val chain = tmpKeyStore.getCertificateChain(tmpAlias)
+
+      if (wasMtls) {
+        keyStore.deleteEntry(CERT_ALIAS)
+      }
+      keyStore.setKeyEntry(CERT_ALIAS, key, null, chain)
+      if (wasMtls != isMtls) {
+        clientChangedListeners.forEach { it() }
+      }
+    }
+  }
+
+  fun deleteKeyEntry() {
+    synchronized(this) {
+      if (!isMtls) {
+        return
+      }
+
+      keyStore.deleteEntry(CERT_ALIAS)
+      clientChangedListeners.forEach { it() }
+    }
+  }
+
+  @JvmStatic
+  fun getClient(): OkHttpClient {
+    return client
+  }
+
+  fun addClientChangedListener(listener: () -> Unit) {
+    synchronized(this) { clientChangedListeners.add(listener) }
+  }
+
+  private fun build(cacheDir: File): OkHttpClient {
+    val connectionPool = ConnectionPool(
+      maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
+      keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
+      timeUnit = TimeUnit.MINUTES
+    )
+
+    val managerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    managerFactory.init(null as KeyStore?)
+    val trustManager = managerFactory.trustManagers.filterIsInstance<X509TrustManager>().first()
+
+    val sslContext = SSLContext.getInstance("TLS")
+      .apply { init(arrayOf(DynamicKeyManager()), arrayOf(trustManager), null) }
+
+    return OkHttpClient.Builder()
+      .addInterceptor { chain ->
+        chain.proceed(chain.request().newBuilder().header("User-Agent", USER_AGENT).build())
+      }
+      .connectionPool(connectionPool)
+      .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
+      .cache(Cache(cacheDir.apply { mkdirs() }, CACHE_SIZE_BYTES))
+      .sslSocketFactory(sslContext.socketFactory, trustManager)
+      .build()
+  }
+
+  // Reads from the key store rather than taking a snapshot at initialization time
+  private class DynamicKeyManager : X509KeyManager {
+    override fun getClientAliases(keyType: String, issuers: Array<Principal>?): Array<String>? =
+      if (isMtls) arrayOf(CERT_ALIAS) else null
+
+    override fun chooseClientAlias(keyTypes: Array<String>, issuers: Array<Principal>?, socket: Socket?): String? =
+      if (isMtls) CERT_ALIAS else null
+
+    override fun getCertificateChain(alias: String): Array<X509Certificate>? =
+      keyStore.getCertificateChain(alias)?.map { it as X509Certificate }?.toTypedArray()
+
+    override fun getPrivateKey(alias: String): PrivateKey? =
+      keyStore.getKey(alias, null) as? PrivateKey
+
+    override fun getServerAliases(keyType: String, issuers: Array<Principal>?): Array<String>? = null
+    override fun chooseServerAlias(keyType: String, issuers: Array<Principal>?, socket: Socket?): String? = null
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt
@@ -0,0 +1,205 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
+
+package app.alextran.immich.core
+
+import android.util.Log
+import io.flutter.plugin.common.BasicMessageChannel
+import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.EventChannel
+import io.flutter.plugin.common.MessageCodec
+import io.flutter.plugin.common.StandardMethodCodec
+import io.flutter.plugin.common.StandardMessageCodec
+import java.io.ByteArrayOutputStream
+import java.nio.ByteBuffer
+private object NetworkPigeonUtils {
+
+  fun wrapResult(result: Any?): List<Any?> {
+    return listOf(result)
+  }
+
+  fun wrapError(exception: Throwable): List<Any?> {
+    return if (exception is FlutterError) {
+      listOf(
+        exception.code,
+        exception.message,
+        exception.details
+      )
+    } else {
+      listOf(
+        exception.javaClass.simpleName,
+        exception.toString(),
+        "Cause: " + exception.cause + ", Stacktrace: " + Log.getStackTraceString(exception)
+      )
+    }
+  }
+  fun deepEquals(a: Any?, b: Any?): Boolean {
+    if (a is ByteArray && b is ByteArray) {
+        return a.contentEquals(b)
+    }
+    if (a is IntArray && b is IntArray) {
+        return a.contentEquals(b)
+    }
+    if (a is LongArray && b is LongArray) {
+        return a.contentEquals(b)
+    }
+    if (a is DoubleArray && b is DoubleArray) {
+        return a.contentEquals(b)
+    }
+    if (a is Array<*> && b is Array<*>) {
+      return a.size == b.size &&
+          a.indices.all{ deepEquals(a[it], b[it]) }
+    }
+    if (a is List<*> && b is List<*>) {
+      return a.size == b.size &&
+          a.indices.all{ deepEquals(a[it], b[it]) }
+    }
+    if (a is Map<*, *> && b is Map<*, *>) {
+      return a.size == b.size && a.all {
+          (b as Map<Any?, Any?>).containsKey(it.key) &&
+          deepEquals(it.value, b[it.key])
+      }
+    }
+    return a == b
+  }
+      
+}
+
+/**
+ * Error class for passing custom error details to Flutter via a thrown PlatformException.
+ * @property code The error code.
+ * @property message The error message.
+ * @property details The error details. Must be a datatype supported by the api codec.
+ */
+class FlutterError (
+  val code: String,
+  override val message: String? = null,
+  val details: Any? = null
+) : Throwable()
+
+/** Generated class from Pigeon that represents data sent in messages. */
+data class ClientCertData (
+  val data: ByteArray,
+  val password: String
+)
+ {
+  companion object {
+    fun fromList(pigeonVar_list: List<Any?>): ClientCertData {
+      val data = pigeonVar_list[0] as ByteArray
+      val password = pigeonVar_list[1] as String
+      return ClientCertData(data, password)
+    }
+  }
+  fun toList(): List<Any?> {
+    return listOf(
+      data,
+      password,
+    )
+  }
+  override fun equals(other: Any?): Boolean {
+    if (other !is ClientCertData) {
+      return false
+    }
+    if (this === other) {
+      return true
+    }
+    return NetworkPigeonUtils.deepEquals(toList(), other.toList())  }
+
+  override fun hashCode(): Int = toList().hashCode()
+}
+private open class NetworkPigeonCodec : StandardMessageCodec() {
+  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
+    return when (type) {
+      129.toByte() -> {
+        return (readValue(buffer) as? List<Any?>)?.let {
+          ClientCertData.fromList(it)
+        }
+      }
+      else -> super.readValueOfType(type, buffer)
+    }
+  }
+  override fun writeValue(stream: ByteArrayOutputStream, value: Any?)   {
+    when (value) {
+      is ClientCertData -> {
+        stream.write(129)
+        writeValue(stream, value.toList())
+      }
+      else -> super.writeValue(stream, value)
+    }
+  }
+}
+
+
+/** Generated interface from Pigeon that represents a handler of messages from Flutter. */
+interface NetworkApi {
+  fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit)
+  fun selectCertificate(callback: (Result<ClientCertData>) -> Unit)
+  fun removeCertificate(callback: (Result<Unit>) -> Unit)
+
+  companion object {
+    /** The codec used by NetworkApi. */
+    val codec: MessageCodec<Any?> by lazy {
+      NetworkPigeonCodec()
+    }
+    /** Sets up an instance of `NetworkApi` to handle messages through the `binaryMessenger`. */
+    @JvmOverloads
+    fun setUp(binaryMessenger: BinaryMessenger, api: NetworkApi?, messageChannelSuffix: String = "") {
+      val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { message, reply ->
+            val args = message as List<Any?>
+            val clientDataArg = args[0] as ClientCertData
+            api.addCertificate(clientDataArg) { result: Result<Unit> ->
+              val error = result.exceptionOrNull()
+              if (error != null) {
+                reply.reply(NetworkPigeonUtils.wrapError(error))
+              } else {
+                reply.reply(NetworkPigeonUtils.wrapResult(null))
+              }
+            }
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { _, reply ->
+            api.selectCertificate{ result: Result<ClientCertData> ->
+              val error = result.exceptionOrNull()
+              if (error != null) {
+                reply.reply(NetworkPigeonUtils.wrapError(error))
+              } else {
+                val data = result.getOrNull()
+                reply.reply(NetworkPigeonUtils.wrapResult(data))
+              }
+            }
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+      run {
+        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate$separatedMessageChannelSuffix", codec)
+        if (api != null) {
+          channel.setMessageHandler { _, reply ->
+            api.removeCertificate{ result: Result<Unit> ->
+              val error = result.exceptionOrNull()
+              if (error != null) {
+                reply.reply(NetworkPigeonUtils.wrapError(error))
+              } else {
+                reply.reply(NetworkPigeonUtils.wrapResult(null))
+              }
+            }
+          }
+        } else {
+          channel.setMessageHandler(null)
+        }
+      }
+    }
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/NetworkApiPlugin.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/NetworkApiPlugin.kt
@@ -0,0 +1,135 @@
+package app.alextran.immich.core
+
+import android.app.Activity
+import android.content.Context
+import android.net.Uri
+import android.os.OperationCanceledException
+import androidx.activity.ComponentActivity
+import androidx.activity.result.ActivityResultLauncher
+import androidx.activity.result.contract.ActivityResultContracts
+import io.flutter.embedding.engine.plugins.FlutterPlugin
+import io.flutter.embedding.engine.plugins.activity.ActivityAware
+import io.flutter.embedding.engine.plugins.activity.ActivityPluginBinding
+
+class NetworkApiPlugin : FlutterPlugin, ActivityAware {
+  private var networkApi: NetworkApiImpl? = null
+
+
+  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
+    networkApi = NetworkApiImpl(binding.applicationContext)
+    NetworkApi.setUp(binding.binaryMessenger, networkApi)
+  }
+
+  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
+    NetworkApi.setUp(binding.binaryMessenger, null)
+    networkApi = null
+  }
+
+  override fun onAttachedToActivity(binding: ActivityPluginBinding) {
+    networkApi?.onAttachedToActivity(binding)
+  }
+
+  override fun onDetachedFromActivityForConfigChanges() {
+    networkApi?.onDetachedFromActivityForConfigChanges()
+  }
+
+  override fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
+    networkApi?.onReattachedToActivityForConfigChanges(binding)
+  }
+
+  override fun onDetachedFromActivity() {
+    networkApi?.onDetachedFromActivity()
+  }
+}
+
+private class NetworkApiImpl(private val context: Context) : NetworkApi {
+  private var activity: Activity? = null
+  private var pendingCallback: ((Result<ClientCertData>) -> Unit)? = null
+  private var filePicker: ActivityResultLauncher<Array<String>>? = null
+
+  fun onAttachedToActivity(binding: ActivityPluginBinding) {
+    activity = binding.activity
+    (binding.activity as? ComponentActivity)?.let { componentActivity ->
+      filePicker = componentActivity.registerForActivityResult(
+        ActivityResultContracts.OpenDocument()
+      ) { uri -> uri?.let { handlePickedFile(it) } ?: pendingCallback?.invoke(Result.failure(OperationCanceledException())) }
+    }
+  }
+
+  fun onDetachedFromActivityForConfigChanges() {
+    activity = null
+  }
+
+  fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
+    activity = binding.activity
+  }
+
+  fun onDetachedFromActivity() {
+    activity = null
+  }
+
+  override fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit) {
+    try {
+      HttpClientManager.setKeyEntry(clientData.data, clientData.password.toCharArray())
+      callback(Result.success(Unit))
+    } catch (e: Exception) {
+      callback(Result.failure(e))
+    }
+  }
+
+  override fun selectCertificate(callback: (Result<ClientCertData>) -> Unit) {
+    val picker = filePicker ?: return callback(Result.failure(IllegalStateException("No activity")))
+    pendingCallback = callback
+    picker.launch(arrayOf("application/x-pkcs12", "application/x-pem-file"))
+  }
+
+  override fun removeCertificate(callback: (Result<Unit>) -> Unit) {
+    HttpClientManager.deleteKeyEntry()
+    callback(Result.success(Unit))
+  }
+
+  private fun handlePickedFile(uri: Uri) {
+    val callback = pendingCallback ?: return
+    pendingCallback = null
+
+    try {
+      val data = context.contentResolver.openInputStream(uri)?.use { it.readBytes() }
+        ?: throw IllegalStateException("Could not read file")
+
+      val activity = activity ?: throw IllegalStateException("No activity")
+      promptForPassword(activity) { password ->
+        if (password == null) {
+          callback(Result.failure(OperationCanceledException()))
+          return@promptForPassword
+        }
+        try {
+          HttpClientManager.setKeyEntry(data, password.toCharArray())
+          callback(Result.success(ClientCertData(data, password)))
+        } catch (e: Exception) {
+          callback(Result.failure(e))
+        }
+      }
+    } catch (e: Exception) {
+      callback(Result.failure(e))
+    }
+  }
+
+  private fun promptForPassword(activity: Activity, callback: (String?) -> Unit) {
+    val builder = android.app.AlertDialog.Builder(activity)
+      .setTitle("Certificate Password")
+      .setMessage("Enter the password for this certificate")
+
+    val input = android.widget.EditText(activity).apply {
+      inputType = android.text.InputType.TYPE_CLASS_TEXT or android.text.InputType.TYPE_TEXT_VARIATION_PASSWORD
+    }
+
+    builder.setView(input)
+      .setPositiveButton("Import") { _, _ -> callback(input.text.toString()) }
+      .setNegativeButton("Cancel") { dialog, _ ->
+        dialog.cancel()
+        callback(null)
+      }
+      .setOnCancelListener { callback(null) }
+      .show()
+  }
+}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt
@@ -1,73 +0,0 @@
-package app.alextran.immich.core
-
-import java.security.KeyStore
-import javax.net.ssl.KeyManager
-import javax.net.ssl.SSLContext
-import javax.net.ssl.SSLSocketFactory
-import javax.net.ssl.TrustManager
-import javax.net.ssl.TrustManagerFactory
-import javax.net.ssl.X509TrustManager
-
-/**
- * Shared SSL configuration for OkHttp and HttpsURLConnection.
- * Stores the SSLSocketFactory and X509TrustManager configured by HttpSSLOptionsPlugin.
- */
-object SSLConfig {
-  var sslSocketFactory: SSLSocketFactory? = null
-    private set
-
-  var trustManager: X509TrustManager? = null
-    private set
-
-  var requiresCustomSSL: Boolean = false
-    private set
-
-  private val listeners = mutableListOf<() -> Unit>()
-  private var configHash: Int = 0
-
-  fun addListener(listener: () -> Unit) {
-    listeners.add(listener)
-  }
-
-  fun apply(
-    keyManagers: Array<KeyManager>?,
-    trustManagers: Array<TrustManager>?,
-    allowSelfSigned: Boolean,
-    serverHost: String?,
-    clientCertHash: Int
-  ) {
-    synchronized(this) {
-      val newHash = computeHash(allowSelfSigned, serverHost, clientCertHash)
-      val newRequiresCustomSSL = allowSelfSigned || keyManagers != null
-      if (newHash == configHash && sslSocketFactory != null && requiresCustomSSL == newRequiresCustomSSL) {
-        return  // Config unchanged, skip
-      }
-
-      val sslContext = SSLContext.getInstance("TLS")
-      sslContext.init(keyManagers, trustManagers, null)
-      sslSocketFactory = sslContext.socketFactory
-      trustManager = trustManagers?.filterIsInstance<X509TrustManager>()?.firstOrNull()
-        ?: getDefaultTrustManager()
-      requiresCustomSSL = newRequiresCustomSSL
-      configHash = newHash
-      notifyListeners()
-    }
-  }
-
-  private fun computeHash(allowSelfSigned: Boolean, serverHost: String?, clientCertHash: Int): Int {
-    var result = allowSelfSigned.hashCode()
-    result = 31 * result + (serverHost?.hashCode() ?: 0)
-    result = 31 * result + clientCertHash
-    return result
-  }
-
-  private fun notifyListeners() {
-    listeners.forEach { it() }
-  }
-
-  private fun getDefaultTrustManager(): X509TrustManager {
-    val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-    factory.init(null as KeyStore?)
-    return factory.trustManagers.filterIsInstance<X509TrustManager>().first()
-  }
-}
--- a/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt
+++ b/mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt
@@ -3,17 +3,15 @@ package app.alextran.immich.images
 import android.content.Context
 import android.os.CancellationSignal
 import android.os.OperationCanceledException
-import app.alextran.immich.BuildConfig
 import app.alextran.immich.INITIAL_BUFFER_SIZE
 import app.alextran.immich.NativeBuffer
 import app.alextran.immich.NativeByteBuffer
-import app.alextran.immich.core.SSLConfig
+import app.alextran.immich.core.HttpClientManager
+import app.alextran.immich.core.USER_AGENT
 import kotlinx.coroutines.*
 import okhttp3.Cache
 import okhttp3.Call
 import okhttp3.Callback
-import okhttp3.ConnectionPool
-import okhttp3.Dispatcher
 import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.Response
@@ -33,14 +31,8 @@ import java.nio.file.attribute.BasicFileAttributes
 import java.util.concurrent.ConcurrentHashMap
 import java.util.concurrent.Executors
 import java.util.concurrent.TimeUnit
-import javax.net.ssl.SSLSocketFactory
-import javax.net.ssl.X509TrustManager


-private const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
-private const val MAX_REQUESTS_PER_HOST = 64
-private const val KEEP_ALIVE_CONNECTIONS = 10
-private const val KEEP_ALIVE_DURATION_MINUTES = 5L
 private const val CACHE_SIZE_BYTES = 1024L * 1024 * 1024

 private class RemoteRequest(val cancellationSignal: CancellationSignal)
@@ -121,7 +113,9 @@ private object ImageFetcherManager {
      appContext = context.applicationContext
      cacheDir = context.cacheDir
      fetcher = build()
-      SSLConfig.addListener(::invalidate)
+      // Listen to SharedHttpClientManager instead of SSLConfig directly.
+      // This ensures the shared client is already rebuilt when we invalidate.
+      HttpClientManager.addClientChangedListener(::invalidate)
      initialized = true
    }
  }
@@ -143,18 +137,14 @@ private object ImageFetcherManager {
  private fun invalidate() {
    synchronized(this) {
      val oldFetcher = fetcher
-      if (oldFetcher is OkHttpImageFetcher && SSLConfig.requiresCustomSSL) {
-        fetcher = oldFetcher.reconfigure(SSLConfig.sslSocketFactory, SSLConfig.trustManager)
-        return
-      }
      fetcher = build()
      oldFetcher.drain()
    }
  }

  private fun build(): ImageFetcher {
-    return if (SSLConfig.requiresCustomSSL) {
-      OkHttpImageFetcher.create(cacheDir, SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+    return if (HttpClientManager.isMtls) {
+      OkHttpImageFetcher.create(cacheDir)
    } else {
      CronetImageFetcher(appContext, cacheDir)
    }
@@ -380,51 +370,17 @@ private class OkHttpImageFetcher private constructor(
  private var draining = false

  companion object {
-    fun create(
-      cacheDir: File,
-      sslSocketFactory: SSLSocketFactory?,
-      trustManager: X509TrustManager?,
-    ): OkHttpImageFetcher {
+    fun create(cacheDir: File): OkHttpImageFetcher {
      val dir = File(cacheDir, "okhttp")
-      val connectionPool = ConnectionPool(
-        maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
-        keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
-        timeUnit = TimeUnit.MINUTES
-      )

-      val builder = OkHttpClient.Builder()
-        .addInterceptor { chain ->
-          chain.proceed(
-            chain.request().newBuilder()
-              .header("User-Agent", USER_AGENT)
-              .build()
-          )
-        }
-        .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
-        .connectionPool(connectionPool)
+      val client = HttpClientManager.getClient().newBuilder()
        .cache(Cache(File(dir, "thumbnails"), CACHE_SIZE_BYTES))
+        .build()

-      if (sslSocketFactory != null && trustManager != null) {
-        builder.sslSocketFactory(sslSocketFactory, trustManager)
-      }
-
-      return OkHttpImageFetcher(builder.build())
+      return OkHttpImageFetcher(client)
    }
  }

-  fun reconfigure(
-    sslSocketFactory: SSLSocketFactory?,
-    trustManager: X509TrustManager?,
-  ): OkHttpImageFetcher {
-    val builder = client.newBuilder()
-    if (sslSocketFactory != null && trustManager != null) {
-      builder.sslSocketFactory(sslSocketFactory, trustManager)
-    }
-    // Evict idle connections using old SSL config
-    client.connectionPool.evictAll()
-    return OkHttpImageFetcher(builder.build())
-  }
-
  private fun onComplete() {
    val shouldClose = synchronized(stateLock) {
      activeCount--
@@ -512,7 +468,6 @@ private class OkHttpImageFetcher private constructor(
      draining = true
      activeCount == 0
    }
-    client.connectionPool.evictAll()
    if (shouldClose) {
      client.cache?.close()
    }
--- a/mobile/android/app/src/main/res/xml/network_security_config.xml
+++ b/mobile/android/app/src/main/res/xml/network_security_config.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config cleartextTrafficPermitted="true">
+    <base-config>
+        <trust-anchors>
+            <certificates src="system" />
+            <certificates src="user" />
+        </trust-anchors>
+    </base-config>
+</network-security-config>
--- a/mobile/ios/Runner/AppDelegate.swift
+++ b/mobile/ios/Runner/AppDelegate.swift
@@ -15,7 +15,7 @@ import UIKit
  ) -> Bool {
    // Required for flutter_local_notification
    if #available(iOS 10.0, *) {
-      UNUserNotificationCenter.current().delegate = self as? UNUserNotificationCenterDelegate
+      UNUserNotificationCenter.current().delegate = self as UNUserNotificationCenterDelegate
    }

    GeneratedPluginRegistrant.register(with: self)
--- a/mobile/ios/Runner/Core/Network.g.swift
+++ b/mobile/ios/Runner/Core/Network.g.swift
@@ -0,0 +1,240 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+
+import Foundation
+
+#if os(iOS)
+  import Flutter
+#elseif os(macOS)
+  import FlutterMacOS
+#else
+  #error("Unsupported platform.")
+#endif
+
+private func wrapResult(_ result: Any?) -> [Any?] {
+  return [result]
+}
+
+private func wrapError(_ error: Any) -> [Any?] {
+  if let pigeonError = error as? PigeonError {
+    return [
+      pigeonError.code,
+      pigeonError.message,
+      pigeonError.details,
+    ]
+  }
+  if let flutterError = error as? FlutterError {
+    return [
+      flutterError.code,
+      flutterError.message,
+      flutterError.details,
+    ]
+  }
+  return [
+    "\(error)",
+    "\(type(of: error))",
+    "Stacktrace: \(Thread.callStackSymbols)",
+  ]
+}
+
+private func isNullish(_ value: Any?) -> Bool {
+  return value is NSNull || value == nil
+}
+
+private func nilOrValue<T>(_ value: Any?) -> T? {
+  if value is NSNull { return nil }
+  return value as! T?
+}
+
+func deepEqualsNetwork(_ lhs: Any?, _ rhs: Any?) -> Bool {
+  let cleanLhs = nilOrValue(lhs) as Any?
+  let cleanRhs = nilOrValue(rhs) as Any?
+  switch (cleanLhs, cleanRhs) {
+  case (nil, nil):
+    return true
+
+  case (nil, _), (_, nil):
+    return false
+
+  case is (Void, Void):
+    return true
+
+  case let (cleanLhsHashable, cleanRhsHashable) as (AnyHashable, AnyHashable):
+    return cleanLhsHashable == cleanRhsHashable
+
+  case let (cleanLhsArray, cleanRhsArray) as ([Any?], [Any?]):
+    guard cleanLhsArray.count == cleanRhsArray.count else { return false }
+    for (index, element) in cleanLhsArray.enumerated() {
+      if !deepEqualsNetwork(element, cleanRhsArray[index]) {
+        return false
+      }
+    }
+    return true
+
+  case let (cleanLhsDictionary, cleanRhsDictionary) as ([AnyHashable: Any?], [AnyHashable: Any?]):
+    guard cleanLhsDictionary.count == cleanRhsDictionary.count else { return false }
+    for (key, cleanLhsValue) in cleanLhsDictionary {
+      guard cleanRhsDictionary.index(forKey: key) != nil else { return false }
+      if !deepEqualsNetwork(cleanLhsValue, cleanRhsDictionary[key]!) {
+        return false
+      }
+    }
+    return true
+
+  default:
+    // Any other type shouldn't be able to be used with pigeon. File an issue if you find this to be untrue.
+    return false
+  }
+}
+
+func deepHashNetwork(value: Any?, hasher: inout Hasher) {
+  if let valueList = value as? [AnyHashable] {
+     for item in valueList { deepHashNetwork(value: item, hasher: &hasher) }
+     return
+  }
+
+  if let valueDict = value as? [AnyHashable: AnyHashable] {
+    for key in valueDict.keys { 
+      hasher.combine(key)
+      deepHashNetwork(value: valueDict[key]!, hasher: &hasher)
+    }
+    return
+  }
+
+  if let hashableValue = value as? AnyHashable {
+    hasher.combine(hashableValue.hashValue)
+  }
+
+  return hasher.combine(String(describing: value))
+}
+
+    
+
+/// Generated class from Pigeon that represents data sent in messages.
+struct ClientCertData: Hashable {
+  var data: FlutterStandardTypedData
+  var password: String
+
+
+  // swift-format-ignore: AlwaysUseLowerCamelCase
+  static func fromList(_ pigeonVar_list: [Any?]) -> ClientCertData? {
+    let data = pigeonVar_list[0] as! FlutterStandardTypedData
+    let password = pigeonVar_list[1] as! String
+
+    return ClientCertData(
+      data: data,
+      password: password
+    )
+  }
+  func toList() -> [Any?] {
+    return [
+      data,
+      password,
+    ]
+  }
+  static func == (lhs: ClientCertData, rhs: ClientCertData) -> Bool {
+    return deepEqualsNetwork(lhs.toList(), rhs.toList())  }
+  func hash(into hasher: inout Hasher) {
+    deepHashNetwork(value: toList(), hasher: &hasher)
+  }
+}
+
+private class NetworkPigeonCodecReader: FlutterStandardReader {
+  override func readValue(ofType type: UInt8) -> Any? {
+    switch type {
+    case 129:
+      return ClientCertData.fromList(self.readValue() as! [Any?])
+    default:
+      return super.readValue(ofType: type)
+    }
+  }
+}
+
+private class NetworkPigeonCodecWriter: FlutterStandardWriter {
+  override func writeValue(_ value: Any) {
+    if let value = value as? ClientCertData {
+      super.writeByte(129)
+      super.writeValue(value.toList())
+    } else {
+      super.writeValue(value)
+    }
+  }
+}
+
+private class NetworkPigeonCodecReaderWriter: FlutterStandardReaderWriter {
+  override func reader(with data: Data) -> FlutterStandardReader {
+    return NetworkPigeonCodecReader(data: data)
+  }
+
+  override func writer(with data: NSMutableData) -> FlutterStandardWriter {
+    return NetworkPigeonCodecWriter(data: data)
+  }
+}
+
+class NetworkPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
+  static let shared = NetworkPigeonCodec(readerWriter: NetworkPigeonCodecReaderWriter())
+}
+
+
+/// Generated protocol from Pigeon that represents a handler of messages from Flutter.
+protocol NetworkApi {
+  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, Error>) -> Void)
+  func selectCertificate(completion: @escaping (Result<ClientCertData, Error>) -> Void)
+  func removeCertificate(completion: @escaping (Result<Void, Error>) -> Void)
+}
+
+/// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
+class NetworkApiSetup {
+  static var codec: FlutterStandardMessageCodec { NetworkPigeonCodec.shared }
+  /// Sets up an instance of `NetworkApi` to handle messages through the `binaryMessenger`.
+  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: NetworkApi?, messageChannelSuffix: String = "") {
+    let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
+    let addCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      addCertificateChannel.setMessageHandler { message, reply in
+        let args = message as! [Any?]
+        let clientDataArg = args[0] as! ClientCertData
+        api.addCertificate(clientData: clientDataArg) { result in
+          switch result {
+          case .success:
+            reply(wrapResult(nil))
+          case .failure(let error):
+            reply(wrapError(error))
+          }
+        }
+      }
+    } else {
+      addCertificateChannel.setMessageHandler(nil)
+    }
+    let selectCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      selectCertificateChannel.setMessageHandler { _, reply in
+        api.selectCertificate { result in
+          switch result {
+          case .success(let res):
+            reply(wrapResult(res))
+          case .failure(let error):
+            reply(wrapError(error))
+          }
+        }
+      }
+    } else {
+      selectCertificateChannel.setMessageHandler(nil)
+    }
+    let removeCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
+    if let api = api {
+      removeCertificateChannel.setMessageHandler { _, reply in
+        api.removeCertificate { result in
+          switch result {
+          case .success:
+            reply(wrapResult(nil))
+          case .failure(let error):
+            reply(wrapError(error))
+          }
+        }
+      }
+    } else {
+      removeCertificateChannel.setMessageHandler(nil)
+    }
+  }
+}
--- a/mobile/ios/Runner/Core/NetworkApiImpl.swift
+++ b/mobile/ios/Runner/Core/NetworkApiImpl.swift
@@ -0,0 +1,157 @@
+import Foundation
+import UniformTypeIdentifiers
+
+enum ImportError: Error {
+  case noFile
+  case noViewController
+  case keychainError(OSStatus)
+  case cancelled
+}
+
+class NetworkApiImpl: NetworkApi {
+  weak var viewController: UIViewController?
+  private var activeImporter: CertImporter?
+  
+  init(viewController: UIViewController?) {
+    self.viewController = viewController
+  }
+  
+  func selectCertificate(completion: @escaping (Result<ClientCertData, any Error>) -> Void) {
+    let importer = CertImporter(completion: { [weak self] result in
+      self?.activeImporter = nil
+      completion(result.map { ClientCertData(data: FlutterStandardTypedData(bytes: $0.0), password: $0.1) })
+    }, viewController: viewController)
+    activeImporter = importer
+    importer.load()
+  }
+  
+  func removeCertificate(completion: @escaping (Result<Void, any Error>) -> Void) {
+    let status = clearCerts()
+    if status == errSecSuccess || status == errSecItemNotFound {
+      return completion(.success(()))
+    }
+    completion(.failure(ImportError.keychainError(status)))
+  }
+  
+  // TODO: remove this method once the app is fully transitioned to native clients
+  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, any Error>) -> Void) {
+    let status = importCert(clientData: clientData.data.data, password: clientData.password)
+    if status == errSecSuccess {
+      return completion(.success(()))
+    }
+    completion(.failure(ImportError.keychainError(status)))
+  }
+}
+
+private class CertImporter: NSObject, UIDocumentPickerDelegate {
+  private var completion: ((Result<(Data, String), Error>) -> Void)
+  private weak var viewController: UIViewController?
+  
+  init(completion: (@escaping (Result<(Data, String), Error>) -> Void), viewController: UIViewController?) {
+    self.completion = completion
+    self.viewController = viewController
+  }
+  
+  func load() {
+    guard let vc = viewController else { return completion(.failure(ImportError.noViewController)) }
+    let picker = UIDocumentPickerViewController(forOpeningContentTypes: [
+      UTType(filenameExtension: "p12")!,
+      UTType(filenameExtension: "pfx")!,
+    ])
+    picker.delegate = self
+    picker.allowsMultipleSelection = false
+    vc.present(picker, animated: true)
+  }
+  
+  func documentPicker(_ controller: UIDocumentPickerViewController, didPickDocumentsAt urls: [URL]) {
+    guard let url = urls.first else {
+      return completion(.failure(ImportError.noFile))
+    }
+    
+    Task { @MainActor in
+      do {
+        let data = try readSecurityScoped(url: url)
+        guard let password = await promptForPassword() else {
+          return completion(.failure(ImportError.cancelled))
+        }
+        let status = importCert(clientData: data, password: password)
+        if status != errSecSuccess {
+          return completion(.failure(ImportError.keychainError(status)))
+        }
+        
+        await URLSessionManager.shared.session.flush()
+        self.completion(.success((data, password)))
+      } catch {
+        completion(.failure(error))
+      }
+    }
+  }
+  
+  func documentPickerWasCancelled(_ controller: UIDocumentPickerViewController) {
+    completion(.failure(ImportError.cancelled))
+  }
+  
+  private func promptForPassword() async -> String? {
+    guard let vc = viewController else { return nil }
+    
+    return await withCheckedContinuation { continuation in
+      let alert = UIAlertController(
+        title: "Certificate Password",
+        message: "Enter the password for this certificate",
+        preferredStyle: .alert
+      )
+      
+      alert.addTextField { $0.isSecureTextEntry = true }
+      
+      alert.addAction(UIAlertAction(title: "Cancel", style: .cancel) { _ in
+        continuation.resume(returning: nil)
+      })
+      
+      alert.addAction(UIAlertAction(title: "Import", style: .default) { _ in
+        continuation.resume(returning: alert.textFields?.first?.text ?? "")
+      })
+      
+      vc.present(alert, animated: true)
+    }
+  }
+  
+  private func readSecurityScoped(url: URL) throws -> Data {
+    guard url.startAccessingSecurityScopedResource() else {
+      throw ImportError.noFile
+    }
+    defer { url.stopAccessingSecurityScopedResource() }
+    return try Data(contentsOf: url)
+  }
+}
+
+private func importCert(clientData: Data, password: String) -> OSStatus {
+  let options = [kSecImportExportPassphrase: password] as CFDictionary
+  var items: CFArray?
+  var status = SecPKCS12Import(clientData as CFData, options, &items)
+  
+  guard status == errSecSuccess,
+        let array = items as? [[String: Any]],
+        let first = array.first,
+        let identity = first[kSecImportItemIdentity as String] else {
+    return status
+  }
+  
+  clearCerts()
+  
+  var addQuery = [
+    kSecClass as String: kSecClassIdentity,
+    kSecValueRef as String: identity,
+    kSecAttrLabel as String: CLIENT_CERT_LABEL,
+    kSecAttrService as String: CLIENT_CERT_SERVICE,
+    kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
+  ]
+  return SecItemAdd(addQuery as CFDictionary, nil)
+}
+
+@discardableResult private func clearCerts() -> OSStatus {
+  let deleteQuery: [String: Any] = [
+    kSecClass as String: kSecClassIdentity,
+    kSecAttrService as String: CLIENT_CERT_SERVICE,
+  ]
+  return SecItemDelete(deleteQuery as CFDictionary)
+}
--- a/mobile/ios/Runner/Core/URLSessionManager.swift
+++ b/mobile/ios/Runner/Core/URLSessionManager.swift
@@ -0,0 +1,88 @@
+import Foundation
+
+let CLIENT_CERT_SERVICE = "app.alextran.immich.mtls"
+let CLIENT_CERT_LABEL = "client_identity"
+
+/// Manages a shared URLSession with SSL configuration support.
+class URLSessionManager: NSObject {
+  static let shared = URLSessionManager()
+  
+  let session: URLSession
+  private let configuration = {
+    let config = URLSessionConfiguration.default
+    
+    let cacheDir = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask)
+      .first!
+      .appendingPathComponent("api", isDirectory: true)
+    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
+    
+    config.urlCache = URLCache(
+      memoryCapacity: 0,
+      diskCapacity: 1024 * 1024 * 1024,
+      directory: cacheDir
+    )
+    
+    config.httpMaximumConnectionsPerHost = 64
+    config.timeoutIntervalForRequest = 60
+    config.timeoutIntervalForResource = 300
+    
+    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
+    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
+    
+    return config
+  }()
+  
+  private override init() {
+    session = URLSession(configuration: configuration, delegate: URLSessionManagerDelegate(), delegateQueue: nil)
+    super.init()
+  }
+}
+
+class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate {
+  func urlSession(
+    _ session: URLSession,
+    didReceive challenge: URLAuthenticationChallenge,
+    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    handleChallenge(challenge, completionHandler: completionHandler)
+  }
+  
+  func urlSession(
+    _ session: URLSession,
+    task: URLSessionTask,
+    didReceive challenge: URLAuthenticationChallenge,
+    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    handleChallenge(challenge, completionHandler: completionHandler)
+  }
+  
+  func handleChallenge(
+    _ challenge: URLAuthenticationChallenge,
+    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    switch challenge.protectionSpace.authenticationMethod {
+    case NSURLAuthenticationMethodClientCertificate: handleClientCertificate(completion: completionHandler)
+    default: completionHandler(.performDefaultHandling, nil)
+    }
+  }
+  
+  private func handleClientCertificate(
+    completion: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    let query: [String: Any] = [
+      kSecClass as String: kSecClassIdentity,
+      kSecAttrLabel as String: CLIENT_CERT_LABEL,
+      kSecReturnRef as String: true,
+    ]
+    
+    var item: CFTypeRef?
+    let status = SecItemCopyMatching(query as CFDictionary, &item)
+    if status == errSecSuccess, let identity = item {
+      let credential = URLCredential(identity: identity as! SecIdentity,
+                                     certificates: nil,
+                                     persistence: .forSession)
+      return completion(.useCredential, credential)
+    }
+    completion(.performDefaultHandling, nil)
+  }
+}
--- a/mobile/ios/Runner/Images/ImageProcessing.swift
+++ b/mobile/ios/Runner/Images/ImageProcessing.swift
@@ -0,0 +1,7 @@
+import Foundation
+
+enum ImageProcessing {
+  static let queue = DispatchQueue(label: "thumbnail.processing", qos: .userInitiated, attributes: .concurrent)
+  static let semaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
+  static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
+}
--- a/mobile/ios/Runner/Images/LocalImagesImpl.swift
+++ b/mobile/ios/Runner/Images/LocalImagesImpl.swift
@@ -34,7 +34,6 @@ class LocalImageApiImpl: LocalImageApi {
  private static let assetQueue = DispatchQueue(label: "thumbnail.assets", qos: .userInitiated)
  private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated)
  private static let cancelQueue = DispatchQueue(label: "thumbnail.cancellation", qos: .default)
-  private static let processingQueue = DispatchQueue(label: "thumbnail.processing", qos: .userInteractive, attributes: .concurrent)
  
  private static var rgbaFormat = vImage_CGImageFormat(
    bitsPerComponent: 8,
@@ -44,8 +43,6 @@ class LocalImageApiImpl: LocalImageApi {
    renderingIntent: .defaultIntent
  )!
  private static var requests = [Int64: LocalImageRequest]()
-  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
-  private static let concurrencySemaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
  private static let assetCache = {
    let assetCache = NSCache<NSString, PHAsset>()
    assetCache.countLimit = 10000
@@ -53,7 +50,7 @@ class LocalImageApiImpl: LocalImageApi {
  }()
  
  func getThumbhash(thumbhash: String, completion: @escaping (Result<[String : Int64], any Error>) -> Void) {
-    Self.processingQueue.async {
+    ImageProcessing.queue.async {
      guard let data = Data(base64Encoded: thumbhash)
      else { return completion(.failure(PigeonError(code: "", message: "Invalid base64 string: \(thumbhash)", details: nil)))}
      
@@ -71,16 +68,16 @@ class LocalImageApiImpl: LocalImageApi {
    let request = LocalImageRequest(callback: completion)
    let item = DispatchWorkItem {
      if request.isCancelled {
-        return completion(Self.cancelledResult)
+        return completion(ImageProcessing.cancelledResult)
      }
      
-      Self.concurrencySemaphore.wait()
+      ImageProcessing.semaphore.wait()
      defer {
-        Self.concurrencySemaphore.signal()
+        ImageProcessing.semaphore.signal()
      }
      
      if request.isCancelled {
-        return completion(Self.cancelledResult)
+        return completion(ImageProcessing.cancelledResult)
      }
      
      guard let asset = Self.requestAsset(assetId: assetId)
@@ -91,7 +88,7 @@ class LocalImageApiImpl: LocalImageApi {
      }
      
      if request.isCancelled {
-        return completion(Self.cancelledResult)
+        return completion(ImageProcessing.cancelledResult)
      }
      
      var image: UIImage?
@@ -116,7 +113,7 @@ class LocalImageApiImpl: LocalImageApi {
      }
      
      if request.isCancelled {
-        return completion(Self.cancelledResult)
+        return completion(ImageProcessing.cancelledResult)
      }
      
      do {
@@ -124,7 +121,7 @@ class LocalImageApiImpl: LocalImageApi {
        
        if request.isCancelled {
          buffer.free()
-          return completion(Self.cancelledResult)
+          return completion(ImageProcessing.cancelledResult)
        }
        
        request.callback(.success([
@@ -133,7 +130,6 @@ class LocalImageApiImpl: LocalImageApi {
          "height": Int64(buffer.height),
          "rowBytes": Int64(buffer.rowBytes)
        ]))
-        print("Successful response for \(requestId)")
        Self.remove(requestId: requestId)
      } catch {
        Self.remove(requestId: requestId)
@@ -143,7 +139,7 @@ class LocalImageApiImpl: LocalImageApi {
    
    request.workItem = item
    Self.add(requestId: requestId, request: request)
-    Self.processingQueue.async(execute: item)
+    ImageProcessing.queue.async(execute: item)
  }
  
  func cancelRequest(requestId: Int64) {
@@ -164,7 +160,7 @@ class LocalImageApiImpl: LocalImageApi {
      request.isCancelled = true
      guard let item = request.workItem else { return }
      if item.isCancelled {
-        cancelQueue.async { request.callback(Self.cancelledResult) }
+        cancelQueue.async { request.callback(ImageProcessing.cancelledResult) }
      }
    }
  }
--- a/mobile/ios/Runner/Images/RemoteImagesImpl.swift
+++ b/mobile/ios/Runner/Images/RemoteImagesImpl.swift
@@ -7,64 +7,18 @@ class RemoteImageRequest {
  weak var task: URLSessionDataTask?
  let id: Int64
  var isCancelled = false
-  var data: CFMutableData?
  let completion: (Result<[String: Int64]?, any Error>) -> Void
-  
+
  init(id: Int64, task: URLSessionDataTask, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
    self.id = id
    self.task = task
-    self.data = nil
    self.completion = completion
  }
 }

 class RemoteImageApiImpl: NSObject, RemoteImageApi {
-  private static let delegate = RemoteImageApiDelegate()
-  static let session = {
-    let cacheDir = FileManager.default.temporaryDirectory.appendingPathComponent("thumbnails", isDirectory: true)
-    let config = URLSessionConfiguration.default
-    config.requestCachePolicy = .returnCacheDataElseLoad
-    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
-    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
-    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
-    config.urlCache = URLCache(
-      memoryCapacity: 0,
-      diskCapacity: 1 << 30,
-      directory: cacheDir
-    )
-    config.httpMaximumConnectionsPerHost = 64
-    return URLSession(configuration: config, delegate: delegate, delegateQueue: nil)
-  }()
-  
-  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
-    var urlRequest = URLRequest(url: URL(string: url)!)
-    for (key, value) in headers {
-      urlRequest.setValue(value, forHTTPHeaderField: key)
-    }
-    let task = Self.session.dataTask(with: urlRequest)
-    
-    let imageRequest = RemoteImageRequest(id: requestId, task: task, completion: completion)
-    Self.delegate.add(taskId: task.taskIdentifier, request: imageRequest)
-    
-    task.resume()
-  }
-  
-  func cancelRequest(requestId: Int64) {
-    Self.delegate.cancel(requestId: requestId)
-  }
-  
-  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
-    Task {
-      let cache = Self.session.configuration.urlCache!
-      let cacheSize = Int64(cache.currentDiskUsage)
-      cache.removeAllCachedResponses()
-      completion(.success(cacheSize))
-    }
-  }
-}
-
-class RemoteImageApiDelegate: NSObject, URLSessionDataDelegate {
-  private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated, attributes: .concurrent)
+  private static var lock = os_unfair_lock()
+  private static var requests = [Int64: RemoteImageRequest]()
  private static var rgbaFormat = vImage_CGImageFormat(
    bitsPerComponent: 8,
    bitsPerPixel: 32,
@@ -72,115 +26,110 @@ class RemoteImageApiDelegate: NSObject, URLSessionDataDelegate {
    bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
    renderingIntent: .perceptual
  )!
-  private static var requestByTaskId = [Int: RemoteImageRequest]()
-  private static var taskIdByRequestId = [Int64: Int]()
-  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
  private static let decodeOptions = [
    kCGImageSourceShouldCache: false,
    kCGImageSourceShouldCacheImmediately: true,
    kCGImageSourceCreateThumbnailWithTransform: true,
    kCGImageSourceCreateThumbnailFromImageAlways: true
  ] as CFDictionary
-  
-  func urlSession(
-    _ session: URLSession, dataTask: URLSessionDataTask,
-    didReceive response: URLResponse,
-    completionHandler: @escaping (URLSession.ResponseDisposition) -> Void
-  ) {
-    guard let request = get(taskId: dataTask.taskIdentifier)
-    else {
-      return completionHandler(.cancel)
+
+  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
+    var urlRequest = URLRequest(url: URL(string: url)!)
+    urlRequest.cachePolicy = .returnCacheDataElseLoad
+    for (key, value) in headers {
+      urlRequest.setValue(value, forHTTPHeaderField: key)
    }
-    
-    let capacity = max(Int(response.expectedContentLength), 0)
-    request.data = CFDataCreateMutable(nil, capacity)
-    
-    completionHandler(.allow)
-  }
-  
-  func urlSession(_ session: URLSession, dataTask: URLSessionDataTask,
-                  didReceive data: Data) {
-    guard let request = get(taskId: dataTask.taskIdentifier) else { return }
-    
-    data.withUnsafeBytes { bytes in
-      CFDataAppendBytes(request.data, bytes.bindMemory(to: UInt8.self).baseAddress, data.count)
+
+    let task = URLSessionManager.shared.session.dataTask(with: urlRequest) { data, response, error in
+      Self.handleCompletion(requestId: requestId, data: data, response: response, error: error)
    }
+
+    let request = RemoteImageRequest(id: requestId, task: task, completion: completion)
+
+    os_unfair_lock_lock(&Self.lock)
+    Self.requests[requestId] = request
+    os_unfair_lock_unlock(&Self.lock)
+
+    task.resume()
  }
-  
-  func urlSession(_ session: URLSession, task: URLSessionTask,
-                  didCompleteWithError error: Error?) {
-    guard let request = get(taskId: task.taskIdentifier) else { return }
-        
-    defer { remove(taskId: task.taskIdentifier, requestId: request.id) }
-    
+
+  private static func handleCompletion(requestId: Int64, data: Data?, response: URLResponse?, error: Error?) {
+    os_unfair_lock_lock(&Self.lock)
+    guard let request = requests[requestId] else {
+      return os_unfair_lock_unlock(&Self.lock)
+    }
+    requests[requestId] = nil
+    os_unfair_lock_unlock(&Self.lock)
+
    if let error = error {
      if request.isCancelled || (error as NSError).code == NSURLErrorCancelled {
-        return request.completion(Self.cancelledResult)
+        return request.completion(ImageProcessing.cancelledResult)
      }
      return request.completion(.failure(error))
    }
-    
+
    if request.isCancelled {
-      return request.completion(Self.cancelledResult)
+      return request.completion(ImageProcessing.cancelledResult)
    }
-    
-    guard let data = request.data else {
+
+    guard let data = data else {
      return request.completion(.failure(PigeonError(code: "", message: "No data received", details: nil)))
    }
-    
-    guard let imageSource = CGImageSourceCreateWithData(data, nil),
-          let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, Self.decodeOptions) else {
-      return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
-    }
-    
-    if request.isCancelled {
-      return request.completion(Self.cancelledResult)
-    }
-    
-    do {
-      let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
-      
+
+    ImageProcessing.queue.async {
+      ImageProcessing.semaphore.wait()
+      defer { ImageProcessing.semaphore.signal() }
+
      if request.isCancelled {
-        buffer.free()
-        return request.completion(Self.cancelledResult)
+        return request.completion(ImageProcessing.cancelledResult)
+      }
+
+      guard let imageSource = CGImageSourceCreateWithData(data as CFData, nil),
+            let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, decodeOptions) else {
+        return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
+      }
+
+      if request.isCancelled {
+        return request.completion(ImageProcessing.cancelledResult)
+      }
+
+      do {
+        let buffer = try vImage_Buffer(cgImage: cgImage, format: rgbaFormat)
+
+        if request.isCancelled {
+          buffer.free()
+          return request.completion(ImageProcessing.cancelledResult)
+        }
+
+        request.completion(
+          .success([
+            "pointer": Int64(Int(bitPattern: buffer.data)),
+            "width": Int64(buffer.width),
+            "height": Int64(buffer.height),
+            "rowBytes": Int64(buffer.rowBytes),
+          ]))
+      } catch {
+        return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
      }
-      
-      request.completion(
-        .success([
-          "pointer": Int64(Int(bitPattern: buffer.data)),
-          "width": Int64(buffer.width),
-          "height": Int64(buffer.height),
-          "rowBytes": Int64(buffer.rowBytes),
-        ]))
-    } catch {
-      return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
    }
  }
-  
-  @inline(__always) func get(taskId: Int) -> RemoteImageRequest? {
-    Self.requestQueue.sync { Self.requestByTaskId[taskId] }
-  }
-  
-  @inline(__always) func add(taskId: Int, request: RemoteImageRequest) -> Void {
-    Self.requestQueue.async(flags: .barrier) {
-      Self.requestByTaskId[taskId] = request
-      Self.taskIdByRequestId[request.id] = taskId
-    }
-  }
-  
-  @inline(__always) func remove(taskId: Int, requestId: Int64) -> Void {
-    Self.requestQueue.async(flags: .barrier) {
-      Self.taskIdByRequestId[requestId] = nil
-      Self.requestByTaskId[taskId] = nil
-    }
-  }
-  
-  @inline(__always) func cancel(requestId: Int64) -> Void {
-    guard let request: RemoteImageRequest = (Self.requestQueue.sync {
-      guard let taskId = Self.taskIdByRequestId[requestId] else { return nil }
-      return Self.requestByTaskId[taskId]
-    }) else { return }
+
+  func cancelRequest(requestId: Int64) {
+    os_unfair_lock_lock(&Self.lock)
+    let request = Self.requests[requestId]
+    os_unfair_lock_unlock(&Self.lock)
+
+    guard let request = request else { return }
    request.isCancelled = true
    request.task?.cancel()
  }
+
+  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
+    Task {
+      let cache = URLSessionManager.shared.session.configuration.urlCache!
+      let cacheSize = Int64(cache.currentDiskUsage)
+      cache.removeAllCachedResponses()
+      completion(.success(cacheSize))
+    }
+  }
 }
--- a/mobile/lib/domain/services/background_worker.service.dart
+++ b/mobile/lib/domain/services/background_worker.service.dart
@@ -88,7 +88,7 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {

  Future<void> init() async {
    try {
-      HttpSSLOptions.apply(applyNative: false);
+      HttpSSLOptions.apply();

      await Future.wait(
        [
--- a/mobile/lib/models/server_info/server_info.model.dart
+++ b/mobile/lib/models/server_info/server_info.model.dart
@@ -20,7 +20,7 @@ enum VersionStatus {

 class ServerInfo {
  final ServerVersion serverVersion;
-  final ServerVersion latestVersion;
+  final ServerVersion? latestVersion;
  final ServerFeatures serverFeatures;
  final ServerConfig serverConfig;
  final ServerDiskInfo serverDiskInfo;
--- a/mobile/lib/platform/network_api.g.dart
+++ b/mobile/lib/platform/network_api.g.dart
@@ -0,0 +1,181 @@
+// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// See also: https://pub.dev/packages/pigeon
+// ignore_for_file: public_member_api_docs, non_constant_identifier_names, avoid_as, unused_import, unnecessary_parenthesis, prefer_null_aware_operators, omit_local_variable_types, unused_shown_name, unnecessary_import, no_leading_underscores_for_local_identifiers
+
+import 'dart:async';
+import 'dart:typed_data' show Float64List, Int32List, Int64List, Uint8List;
+
+import 'package:flutter/foundation.dart' show ReadBuffer, WriteBuffer;
+import 'package:flutter/services.dart';
+
+PlatformException _createConnectionError(String channelName) {
+  return PlatformException(
+    code: 'channel-error',
+    message: 'Unable to establish connection on channel: "$channelName".',
+  );
+}
+
+bool _deepEquals(Object? a, Object? b) {
+  if (a is List && b is List) {
+    return a.length == b.length && a.indexed.every(((int, dynamic) item) => _deepEquals(item.$2, b[item.$1]));
+  }
+  if (a is Map && b is Map) {
+    return a.length == b.length &&
+        a.entries.every(
+          (MapEntry<Object?, Object?> entry) =>
+              (b as Map<Object?, Object?>).containsKey(entry.key) && _deepEquals(entry.value, b[entry.key]),
+        );
+  }
+  return a == b;
+}
+
+class ClientCertData {
+  ClientCertData({required this.data, required this.password});
+
+  Uint8List data;
+
+  String password;
+
+  List<Object?> _toList() {
+    return <Object?>[data, password];
+  }
+
+  Object encode() {
+    return _toList();
+  }
+
+  static ClientCertData decode(Object result) {
+    result as List<Object?>;
+    return ClientCertData(data: result[0]! as Uint8List, password: result[1]! as String);
+  }
+
+  @override
+  // ignore: avoid_equals_and_hash_code_on_mutable_classes
+  bool operator ==(Object other) {
+    if (other is! ClientCertData || other.runtimeType != runtimeType) {
+      return false;
+    }
+    if (identical(this, other)) {
+      return true;
+    }
+    return _deepEquals(encode(), other.encode());
+  }
+
+  @override
+  // ignore: avoid_equals_and_hash_code_on_mutable_classes
+  int get hashCode => Object.hashAll(_toList());
+}
+
+class _PigeonCodec extends StandardMessageCodec {
+  const _PigeonCodec();
+  @override
+  void writeValue(WriteBuffer buffer, Object? value) {
+    if (value is int) {
+      buffer.putUint8(4);
+      buffer.putInt64(value);
+    } else if (value is ClientCertData) {
+      buffer.putUint8(129);
+      writeValue(buffer, value.encode());
+    } else {
+      super.writeValue(buffer, value);
+    }
+  }
+
+  @override
+  Object? readValueOfType(int type, ReadBuffer buffer) {
+    switch (type) {
+      case 129:
+        return ClientCertData.decode(readValue(buffer)!);
+      default:
+        return super.readValueOfType(type, buffer);
+    }
+  }
+}
+
+class NetworkApi {
+  /// Constructor for [NetworkApi].  The [binaryMessenger] named argument is
+  /// available for dependency injection.  If it is left null, the default
+  /// BinaryMessenger will be used which routes to the host platform.
+  NetworkApi({BinaryMessenger? binaryMessenger, String messageChannelSuffix = ''})
+    : pigeonVar_binaryMessenger = binaryMessenger,
+      pigeonVar_messageChannelSuffix = messageChannelSuffix.isNotEmpty ? '.$messageChannelSuffix' : '';
+  final BinaryMessenger? pigeonVar_binaryMessenger;
+
+  static const MessageCodec<Object?> pigeonChannelCodec = _PigeonCodec();
+
+  final String pigeonVar_messageChannelSuffix;
+
+  Future<void> addCertificate(ClientCertData clientData) async {
+    final String pigeonVar_channelName =
+        'dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate$pigeonVar_messageChannelSuffix';
+    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
+      pigeonVar_channelName,
+      pigeonChannelCodec,
+      binaryMessenger: pigeonVar_binaryMessenger,
+    );
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[clientData]);
+    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
+    if (pigeonVar_replyList == null) {
+      throw _createConnectionError(pigeonVar_channelName);
+    } else if (pigeonVar_replyList.length > 1) {
+      throw PlatformException(
+        code: pigeonVar_replyList[0]! as String,
+        message: pigeonVar_replyList[1] as String?,
+        details: pigeonVar_replyList[2],
+      );
+    } else {
+      return;
+    }
+  }
+
+  Future<ClientCertData> selectCertificate() async {
+    final String pigeonVar_channelName =
+        'dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$pigeonVar_messageChannelSuffix';
+    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
+      pigeonVar_channelName,
+      pigeonChannelCodec,
+      binaryMessenger: pigeonVar_binaryMessenger,
+    );
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
+    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
+    if (pigeonVar_replyList == null) {
+      throw _createConnectionError(pigeonVar_channelName);
+    } else if (pigeonVar_replyList.length > 1) {
+      throw PlatformException(
+        code: pigeonVar_replyList[0]! as String,
+        message: pigeonVar_replyList[1] as String?,
+        details: pigeonVar_replyList[2],
+      );
+    } else if (pigeonVar_replyList[0] == null) {
+      throw PlatformException(
+        code: 'null-error',
+        message: 'Host platform returned null value for non-null return value.',
+      );
+    } else {
+      return (pigeonVar_replyList[0] as ClientCertData?)!;
+    }
+  }
+
+  Future<void> removeCertificate() async {
+    final String pigeonVar_channelName =
+        'dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate$pigeonVar_messageChannelSuffix';
+    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
+      pigeonVar_channelName,
+      pigeonChannelCodec,
+      binaryMessenger: pigeonVar_binaryMessenger,
+    );
+    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
+    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
+    if (pigeonVar_replyList == null) {
+      throw _createConnectionError(pigeonVar_channelName);
+    } else if (pigeonVar_replyList.length > 1) {
+      throw PlatformException(
+        code: pigeonVar_replyList[0]! as String,
+        message: pigeonVar_replyList[1] as String?,
+        details: pigeonVar_replyList[2],
+      );
+    } else {
+      return;
+    }
+  }
+}
--- a/mobile/lib/providers/infrastructure/platform.provider.dart
+++ b/mobile/lib/providers/infrastructure/platform.provider.dart
@@ -5,6 +5,7 @@ import 'package:immich_mobile/platform/background_worker_lock_api.g.dart';
 import 'package:immich_mobile/platform/connectivity_api.g.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
 import 'package:immich_mobile/platform/local_image_api.g.dart';
+import 'package:immich_mobile/platform/network_api.g.dart';
 import 'package:immich_mobile/platform/remote_image_api.g.dart';

 final backgroundWorkerFgServiceProvider = Provider((_) => BackgroundWorkerFgService(BackgroundWorkerFgHostApi()));
@@ -20,3 +21,5 @@ final connectivityApiProvider = Provider<ConnectivityApi>((_) => ConnectivityApi
 final localImageApi = LocalImageApi();

 final remoteImageApi = RemoteImageApi();
+
+final networkApi = NetworkApi();
--- a/mobile/lib/providers/server_info.provider.dart
+++ b/mobile/lib/providers/server_info.provider.dart
@@ -15,7 +15,7 @@ class ServerInfoNotifier extends StateNotifier<ServerInfo> {
    : super(
        const ServerInfo(
          serverVersion: ServerVersion(major: 0, minor: 0, patch: 0),
-          latestVersion: ServerVersion(major: 0, minor: 0, patch: 0),
+          latestVersion: null,
          serverFeatures: ServerFeatures(map: true, trash: true, oauthEnabled: false, passwordLogin: true),
          serverConfig: ServerConfig(
            trashDays: 30,
@@ -43,7 +43,7 @@ class ServerInfoNotifier extends StateNotifier<ServerInfo> {
    try {
      final serverVersion = await _serverInfoService.getServerVersion();

-      // using isClientOutOfDate since that will show to users reguardless of if they are an admin
+      // using isClientOutOfDate since that will show to users regardless of if they are an admin
      if (serverVersion == null) {
        state = state.copyWith(versionStatus: VersionStatus.error);
        return;
@@ -76,7 +76,7 @@ class ServerInfoNotifier extends StateNotifier<ServerInfo> {
    state = state.copyWith(versionStatus: VersionStatus.upToDate);
  }

-  handleReleaseInfo(ServerVersion serverVersion, ServerVersion latestVersion) {
+  handleReleaseInfo(ServerVersion serverVersion, ServerVersion? latestVersion) {
    // Update local server version
    _checkServerVersionMismatch(serverVersion, latestVersion: latestVersion);
  }
--- a/mobile/lib/utils/http_ssl_options.dart
+++ b/mobile/lib/utils/http_ssl_options.dart
@@ -1,26 +1,20 @@
 import 'dart:io';

-import 'package:flutter/services.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
-import 'package:logging/logging.dart';

 class HttpSSLOptions {
-  static const MethodChannel _channel = MethodChannel('immich/httpSSLOptions');
-
-  static void apply({bool applyNative = true}) {
+  static void apply() {
    AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
    bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);
-    _apply(allowSelfSignedSSLCert, applyNative: applyNative);
+    return _apply(allowSelfSignedSSLCert);
  }

-  static void applyFromSettings(bool newValue) {
-    _apply(newValue);
-  }
+  static void applyFromSettings(bool newValue) => _apply(newValue);

-  static void _apply(bool allowSelfSignedSSLCert, {bool applyNative = true}) {
+  static void _apply(bool allowSelfSignedSSLCert) {
    String? serverHost;
    if (allowSelfSignedSSLCert && Store.tryGet(StoreKey.currentUser) != null) {
      serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
@@ -29,14 +23,5 @@ class HttpSSLOptions {
    SSLClientCertStoreVal? clientCert = SSLClientCertStoreVal.load();

    HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, clientCert);
-
-    if (applyNative && Platform.isAndroid) {
-      _channel
-          .invokeMethod("apply", [allowSelfSignedSSLCert, serverHost, clientCert?.data, clientCert?.password])
-          .onError<PlatformException>((e, _) {
-            final log = Logger("HttpSSLOptions");
-            log.severe('Failed to set SSL options', e.message);
-          });
-    }
  }
 }
--- a/mobile/lib/utils/isolate.dart
+++ b/mobile/lib/utils/isolate.dart
@@ -54,7 +54,7 @@ Cancelable<T?> runInIsolateGentle<T>({
        Logger log = Logger("IsolateLogger");

        try {
-          HttpSSLOptions.apply(applyNative: false);
+          HttpSSLOptions.apply();
          result = await computation(ref);
        } on CanceledError {
          log.warning("Computation cancelled ${debugLabel == null ? '' : ' for $debugLabel'}");
--- a/mobile/lib/utils/migration.dart
+++ b/mobile/lib/utils/migration.dart
@@ -23,6 +23,8 @@ import 'package:immich_mobile/infrastructure/entities/user.entity.dart';
 import 'package:immich_mobile/infrastructure/repositories/db.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/sync_stream.repository.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
+import 'package:immich_mobile/platform/network_api.g.dart';
+import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/utils/datetime_helpers.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
@@ -32,7 +34,7 @@ import 'package:isar/isar.dart';
 // ignore: import_rule_photo_manager
 import 'package:photo_manager/photo_manager.dart';

-const int targetVersion = 20;
+const int targetVersion = 21;

 Future<void> migrateDatabaseIfNeeded(Isar db, Drift drift) async {
  final hasVersion = Store.tryGet(StoreKey.version) != null;
@@ -91,6 +93,13 @@ Future<void> migrateDatabaseIfNeeded(Isar db, Drift drift) async {
    await _syncLocalAlbumIsIosSharedAlbum(drift);
  }

+  if (version < 21) {
+    final certData = SSLClientCertStoreVal.load();
+    if (certData != null) {
+      await networkApi.addCertificate(ClientCertData(data: certData.data, password: certData.password ?? ""));
+    }
+  }
+
  if (targetVersion >= 12) {
    await Store.put(StoreKey.version, targetVersion);
    return;
--- a/mobile/lib/widgets/common/app_bar_dialog/app_bar_server_info.dart
+++ b/mobile/lib/widgets/common/app_bar_dialog/app_bar_server_info.dart
@@ -170,50 +170,52 @@ class AppBarServerInfo extends HookConsumerWidget {
                  ),
                ],
              ),
-              const Padding(padding: EdgeInsets.symmetric(horizontal: 10), child: Divider(thickness: 1)),
-              Row(
-                mainAxisAlignment: MainAxisAlignment.spaceBetween,
-                children: [
-                  Expanded(
-                    child: Padding(
-                      padding: const EdgeInsets.only(left: 10.0),
-                      child: Row(
-                        children: [
-                          if (serverInfoState.versionStatus == VersionStatus.serverOutOfDate)
-                            const Padding(
-                              padding: EdgeInsets.only(right: 5.0),
-                              child: Icon(Icons.info, color: Color.fromARGB(255, 243, 188, 106), size: 12),
+              if (serverInfoState.latestVersion != null) ...[
+                const Padding(padding: EdgeInsets.symmetric(horizontal: 10), child: Divider(thickness: 1)),
+                Row(
+                  mainAxisAlignment: MainAxisAlignment.spaceBetween,
+                  children: [
+                    Expanded(
+                      child: Padding(
+                        padding: const EdgeInsets.only(left: 10.0),
+                        child: Row(
+                          children: [
+                            if (serverInfoState.versionStatus == VersionStatus.serverOutOfDate)
+                              const Padding(
+                                padding: EdgeInsets.only(right: 5.0),
+                                child: Icon(Icons.info, color: Color.fromARGB(255, 243, 188, 106), size: 12),
+                              ),
+                            Text(
+                              "latest_version".tr(),
+                              style: TextStyle(
+                                fontSize: titleFontSize,
+                                color: context.textTheme.labelSmall?.color,
+                                fontWeight: FontWeight.w500,
+                              ),
                            ),
-                          Text(
-                            "latest_version".tr(),
-                            style: TextStyle(
-                              fontSize: titleFontSize,
-                              color: context.textTheme.labelSmall?.color,
-                              fontWeight: FontWeight.w500,
-                            ),
-                          ),
-                        ],
-                      ),
-                    ),
-                  ),
-                  Expanded(
-                    flex: 0,
-                    child: Padding(
-                      padding: const EdgeInsets.only(right: 10.0),
-                      child: Text(
-                        serverInfoState.latestVersion.major > 0
-                            ? "${serverInfoState.latestVersion.major}.${serverInfoState.latestVersion.minor}.${serverInfoState.latestVersion.patch}"
-                            : "--",
-                        style: TextStyle(
-                          fontSize: contentFontSize,
-                          color: context.colorScheme.onSurfaceSecondary,
-                          fontWeight: FontWeight.bold,
+                          ],
                        ),
                      ),
                    ),
-                  ),
-                ],
-              ),
+                    Expanded(
+                      flex: 0,
+                      child: Padding(
+                        padding: const EdgeInsets.only(right: 10.0),
+                        child: Text(
+                          serverInfoState.latestVersion!.major > 0
+                              ? "${serverInfoState.latestVersion!.major}.${serverInfoState.latestVersion!.minor}.${serverInfoState.latestVersion!.patch}"
+                              : "--",
+                          style: TextStyle(
+                            fontSize: contentFontSize,
+                            color: context.colorScheme.onSurfaceSecondary,
+                            fontWeight: FontWeight.bold,
+                          ),
+                        ),
+                      ),
+                    ),
+                  ],
+                ),
+              ],
            ],
          ),
        ),
--- a/mobile/lib/widgets/settings/ssl_client_cert_settings.dart
+++ b/mobile/lib/widgets/settings/ssl_client_cert_settings.dart
@@ -1,14 +1,12 @@
-import 'dart:io';
-
 import 'package:easy_localization/easy_localization.dart';
-import 'package:file_picker/file_picker.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/extensions/build_context_extensions.dart';
 import 'package:immich_mobile/extensions/theme_extensions.dart';
-import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
+import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
 import 'package:immich_mobile/utils/http_ssl_options.dart';
+import 'package:logging/logging.dart';

 class SslClientCertSettings extends StatefulWidget {
  const SslClientCertSettings({super.key, required this.isLoggedIn});
@@ -20,10 +18,12 @@ class SslClientCertSettings extends StatefulWidget {
 }

 class _SslClientCertSettingsState extends State<SslClientCertSettings> {
-  _SslClientCertSettingsState() : isCertExist = SSLClientCertStoreVal.load() != null;
+  final _log = Logger("SslClientCertSettings");

  bool isCertExist;

+  _SslClientCertSettingsState() : isCertExist = SSLClientCertStoreVal.load() != null;
+
  @override
  Widget build(BuildContext context) {
    return ListTile(
@@ -41,16 +41,12 @@ class _SslClientCertSettingsState extends State<SslClientCertSettings> {
          const SizedBox(height: 6),
          Row(
            mainAxisSize: MainAxisSize.max,
-            mainAxisAlignment: MainAxisAlignment.center,
+            mainAxisAlignment: MainAxisAlignment.spaceEvenly,
            crossAxisAlignment: CrossAxisAlignment.center,
            children: [
+              ElevatedButton(onPressed: widget.isLoggedIn ? null : importCert, child: Text("client_cert_import".tr())),
              ElevatedButton(
-                onPressed: widget.isLoggedIn ? null : () => importCert(context),
-                child: Text("client_cert_import".tr()),
-              ),
-              const SizedBox(width: 15),
-              ElevatedButton(
-                onPressed: widget.isLoggedIn || !isCertExist ? null : () async => await removeCert(context),
+                onPressed: widget.isLoggedIn || !isCertExist ? null : removeCert,
                child: Text("remove".tr()),
              ),
            ],
@@ -60,71 +56,42 @@ class _SslClientCertSettingsState extends State<SslClientCertSettings> {
    );
  }

-  void showMessage(BuildContext context, String message) {
-    showDialog(
-      context: context,
-      builder: (ctx) => AlertDialog(
-        content: Text(message),
-        actions: [TextButton(onPressed: () => ctx.pop(), child: Text("client_cert_dialog_msg_confirm".tr()))],
+  void showMessage(String message) {
+    context.showSnackBar(
+      SnackBar(
+        duration: const Duration(seconds: 3),
+        content: Text(message, style: context.textTheme.bodyLarge?.copyWith(color: context.primaryColor)),
      ),
    );
  }

-  Future<void> storeCert(BuildContext context, Uint8List data, String? password) async {
-    if (password != null && password.isEmpty) {
-      password = null;
-    }
-    final cert = SSLClientCertStoreVal(data, password);
-    // Test whether the certificate is valid
-    final isCertValid = HttpSSLCertOverride.setClientCert(SecurityContext(withTrustedRoots: true), cert);
-    if (!isCertValid) {
-      showMessage(context, "client_cert_invalid_msg".tr());
-      return;
-    }
-    await cert.save();
-    HttpSSLOptions.apply();
-    setState(() => isCertExist = true);
-    showMessage(context, "client_cert_import_success_msg".tr());
-  }
-
-  void setPassword(BuildContext context, Uint8List data) {
-    final password = TextEditingController();
-    showDialog(
-      context: context,
-      barrierDismissible: false,
-      builder: (ctx) => AlertDialog(
-        content: TextField(
-          controller: password,
-          obscureText: true,
-          obscuringCharacter: "*",
-          decoration: InputDecoration(hintText: "client_cert_enter_password".tr()),
-        ),
-        actions: [
-          TextButton(
-            onPressed: () async => {ctx.pop(), await storeCert(context, data, password.text)},
-            child: Text("client_cert_dialog_msg_confirm".tr()),
-          ),
-        ],
-      ),
-    );
-  }
-
-  Future<void> importCert(BuildContext ctx) async {
-    FilePickerResult? res = await FilePicker.platform.pickFiles(
-      type: FileType.custom,
-      allowedExtensions: ['p12', 'pfx'],
-    );
-    if (res != null) {
-      File file = File(res.files.single.path!);
-      final bytes = await file.readAsBytes();
-      setPassword(ctx, bytes);
+  Future<void> importCert() async {
+    try {
+      final cert = await networkApi.selectCertificate();
+      await SSLClientCertStoreVal(cert.data, cert.password).save();
+      HttpSSLOptions.apply();
+      setState(() => isCertExist = true);
+      showMessage("client_cert_import_success_msg".tr());
+    } catch (e) {
+      if (_isCancellation(e)) return;
+      _log.severe("Error importing client cert", e);
+      showMessage("client_cert_invalid_msg".tr());
    }
  }

-  Future<void> removeCert(BuildContext context) async {
-    await SSLClientCertStoreVal.delete();
-    HttpSSLOptions.apply();
-    setState(() => isCertExist = false);
-    showMessage(context, "client_cert_remove_msg".tr());
+  Future<void> removeCert() async {
+    try {
+      await networkApi.removeCertificate();
+      await SSLClientCertStoreVal.delete();
+      HttpSSLOptions.apply();
+      setState(() => isCertExist = false);
+      showMessage("client_cert_remove_msg".tr());
+    } catch (e) {
+      if (_isCancellation(e)) return;
+      _log.severe("Error removing client cert", e);
+      showMessage("client_cert_invalid_msg".tr());
+    }
  }
+
+  bool _isCancellation(Object e) => e is PlatformException && e.code.toLowerCase().contains("cancel");
 }
--- a/mobile/makefile
+++ b/mobile/makefile
@@ -12,12 +12,14 @@ pigeon:
 	dart run pigeon --input pigeon/background_worker_api.dart
 	dart run pigeon --input pigeon/background_worker_lock_api.dart
 	dart run pigeon --input pigeon/connectivity_api.dart
+	dart run pigeon --input pigeon/network_api.dart
 	dart format lib/platform/native_sync_api.g.dart
 	dart format lib/platform/local_image_api.g.dart
 	dart format lib/platform/remote_image_api.g.dart
 	dart format lib/platform/background_worker_api.g.dart
 	dart format lib/platform/background_worker_lock_api.g.dart
 	dart format lib/platform/connectivity_api.g.dart
+	dart format lib/platform/network_api.g.dart

 watch:
 	dart run build_runner watch --delete-conflicting-outputs
--- a/mobile/pigeon/network_api.dart
+++ b/mobile/pigeon/network_api.dart
@@ -0,0 +1,32 @@
+import 'package:pigeon/pigeon.dart';
+
+class ClientCertData {
+  Uint8List data;
+  String password;
+
+  ClientCertData(this.data, this.password);
+}
+
+@ConfigurePigeon(
+  PigeonOptions(
+    dartOut: 'lib/platform/network_api.g.dart',
+    swiftOut: 'ios/Runner/Core/Network.g.swift',
+    swiftOptions: SwiftOptions(includeErrorClass: false),
+    kotlinOut:
+        'android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt',
+    kotlinOptions: KotlinOptions(package: 'app.alextran.immich.core', includeErrorClass: true),
+    dartOptions: DartOptions(),
+    dartPackageName: 'immich_mobile',
+  ),
+)
+@HostApi()
+abstract class NetworkApi {
+  @async
+  void addCertificate(ClientCertData clientData);
+
+  @async
+  ClientCertData selectCertificate();
+
+  @async
+  void removeCertificate();
+}
--- a/mobile/pubspec.lock
+++ b/mobile/pubspec.lock
@@ -538,14 +538,6 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "7.0.1"
-  file_picker:
-    dependency: "direct main"
-    description:
-      name: file_picker
-      sha256: ab13ae8ef5580a411c458d6207b6774a6c237d77ac37011b13994879f68a8810
-      url: "https://pub.dev"
-    source: hosted
-    version: "8.3.7"
  file_selector_linux:
    dependency: transitive
    description:
@@ -1249,10 +1241,10 @@ packages:
    dependency: transitive
    description:
      name: meta
-      sha256: e3641ec5d63ebf0d9b41bd43201a66e3fc79a65db5f61fc181f04cd27aab950c
+      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
      url: "https://pub.dev"
    source: hosted
-    version: "1.16.0"
+    version: "1.17.0"
  mime:
    dependency: transitive
    description:
@@ -1942,10 +1934,10 @@ packages:
    dependency: transitive
    description:
      name: test_api
-      sha256: "522f00f556e73044315fa4585ec3270f1808a4b186c936e612cab0b565ff1e00"
+      sha256: ab2726c1a94d3176a45960b6234466ec367179b87dd74f1611adb1f3b5fb9d55
      url: "https://pub.dev"
    source: hosted
-    version: "0.7.6"
+    version: "0.7.7"
  thumbhash:
    dependency: "direct main"
    description:
--- a/mobile/pubspec.yaml
+++ b/mobile/pubspec.yaml
@@ -26,7 +26,6 @@ dependencies:
  dynamic_color: ^1.8.1
  easy_localization: ^3.0.8
  ffi: ^2.1.4
-  file_picker: ^8.0.0+1
  flutter:
    sdk: flutter
  flutter_cache_manager: ^3.4.1
Author	SHA1	Message	Date
mertalev	79a8031b9e	removed print statement	2026-02-02 02:27:14 -05:00
mertalev	8a600e0811	trust user-installed certs	2026-02-02 02:24:03 -05:00
mertalev	cc63580c1d	remove unused dependency	2026-02-02 02:07:06 -05:00
mertalev	a2f301caab	add migration	2026-02-02 02:00:32 -05:00
mertalev	fbacc0d0c0	dead code	2026-02-02 01:53:37 -05:00
mertalev	69a50e9f7e	improve concurrency	2026-02-02 01:52:38 -05:00
mertalev	2e911ec1ca	no need to store data separately	2026-02-02 01:43:08 -05:00
mertalev	4ed94a34f0	dead code	2026-02-02 01:35:25 -05:00
mertalev	95c5e736b2	ui improvements	2026-02-02 01:33:46 -05:00
mertalev	38dccb0f76	update android impl	2026-02-02 01:16:50 -05:00
mertalev	22b89d241f	handle mtls on ios	2026-02-02 01:11:52 -05:00
Matthew Momjian	1436e2a75f	fix(docs): clarify supported vector version (#25753 ) clarify supported version	2026-01-31 11:46:51 -05:00
Thomas	855817514c	fix(mobile): hide latest version if disabled (#25691 ) * fix(mobile): hide latest version if disabled If the version check feature is disabled, the server will currently send stale data to the client. In addition to no longer sending stale data, the client should also not show the latest version if the feature is disabled. This complements the server PR #25688. * lint --------- Co-authored-by: Alex <alex.tran1502@gmail.com>	2026-01-30 16:17:03 +00:00