Your proxy server may see the client IP from Android devices where as iOS it sees (and expects) the subnet IP of the NS.

How to filter traffic using the Subnet IP address for Android Devices?

Create a rewrite rule on the NetScaler Gateway to remove the 'X-Forwarded-For' header to satisfy the proxy filter rules.

add rewrite action act_del_xfor delete_http_header x-forwarded-for
add rewrite policy pol_check_xfor "HTTP.REQ.HEADER(\"x-forwarded-for\").EXISTS" act_del_xfor
Bind onto the NSG Virtual Server.

---

Problem Cause

Internal Proxy Filtering detected the Public IP address of the Client, instead of the Subnet IP address.

Android Traffic contains the 'X-Forward-Header', which contains the Public IP Address of the Client.
Proxy Server picks up on this and enforces 407 auth.

Android Traffic
GET http://google.com/ HTTP/1.1
Host: google.com
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8
X-Requested-With: com.citrix.browser.droid
X-Citrix-Gateway: mam.test.lab
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; STV100-4 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36 Secure Web/10.5.20-8
X-Citrix-Via: mam.test.lab
X-Citrix-Via-VIP: 10.x.x.x
X-Forwarded-For: 185.x.x.x
Connection: Keep-Alive

This header is not present for iOS Traffic.