I’m doing it on iPhone for now, but have plans for an Android comparison, so I might need some pointers on that—is the dev slack a reasonable place to ask about that?
Sure - feel free to ping me there or continue here, whatever works better for you.
In a nutshell, the problem with Android Nougat and above is that apps do not trust user-added certificate authorities (CAs) by default, which makes it impossible to intercept their traffic in normal use. In contrast, all other certificate validation policies I know of mark user-added CAs as particularly trustworthy as they represent explicit user intent¹. We have asked the folks at Google on multiple occasions which threat this would defend against, but we have not received any satisfactory explanation. As it stands, this only makes privacy analyses needlessly difficult.
NCC Group’s blog post on the topic describes the two main ways how this can be bypassed: First, one can recompile individual apps (I’m not sure if that works with preinstalled apps); second, one can root their phone (which reduces your security level) and install some custom hooks. Both of course is far from ideal if you as a concerned citizen just want to see what your phone is sending out.
¹) For example, certificates signed by user-added CAs overrule HTTP Public Key Pinning in Firefox.