Golang API + Android: cannot access API on Android - android

I developed a Golang API to communicate with my Android app. My API is located on my "server" (currently an old laptop) and I can access my API on my Android device when both are connected on the same network, use the android:usesCleartextTraffic="true" in the manifest and use the IP (192.168.X.XX:XXX) of my server on my Android app. Cool so far :)
But now I want to access using different networks, for this, I created a Dynu account with DDNS with a built-in domain (test.freeddns.org). On my Android log displays:
No Network Security Config specified, using platform default
So I tried using network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">test.freeddns.org</domain>
</domain-config>
</network-security-config>
but it gives me the following message:
2022-11-10 12:08:53.518 30659-30745 NetworkSecurityConfig D Using Network Security Config from resource network_security_config debugBuild: true
I tried using the public IP of my server with no success :( I still get the same error
I use the
RequestQueue queue = Volley.newRequestQueue(context); on my Android App to send a POST request to my server.
Any ideas will be more than welcome
Thanks in advance
Best regards

Related

Insecure HTTP connections are disabled by default on iOS and Android Flutter

I need to allow all HTTP for all requests in my code.
The code works fine in debug and release mode for the apk, but it doesn't work when I upload it to Google play as bundle.aab
1- I created network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
2- add to AndroidManifest/application
<application
android:usesCleartextTraffic="true"
android:networkSecurityConfig="#xml/network_security_config"
......
>
3- add meta-data to application
<application
......>
.....
<meta-data android:name="io.flutter.network-policy"
android:resource="#xml/network_security_config"/>
</application>
4- add the permission
<uses-permission android:name="android.permission.INTERNET"/>
You should https but if you still want to use http protocol then add the following to your Info.plist file in iOS:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Also for android add this entry in AndroidManifest.xml file:
<application
...
android:usesCleartextTraffic="true">
...
</application>
By default, Flutter disables insecure HTTP connections on iOS and Android to improve security and prevent man-in-the-middle attacks. However, if you need to allow insecure HTTP connections for testing or other purposes, you can do so by using the http package's BadCertificateCallback function.
To allow insecure HTTP connections in your Flutter app, you can do the following:
Import the http package and the dart:io library:
import 'package:http/http.dart' as http;
import 'dart:io';
Create a function that returns true for any certificate that should be allowed. For example, the following function allows any certificate:
bool allowInsecureCertificates(X509Certificate cert, String host, int port) {
return true;
}
Use the http.Client constructor and pass the allowInsecureCertificates function as the onBadCertificate parameter to create an HTTP client that allows insecure certificates:
final client = http.Client(onBadCertificate: allowInsecureCertificates);
Use the client to make HTTP requests as needed. For example:
final response = await client.get('http://insecure-server.com/data');
Keep in mind that allowing insecure HTTP connections can compromise the security of your app and the data it handles. It is generally not recommended to allow insecure HTTP connections in production environments. Instead, you should use secure HTTPS connections to protect the integrity and confidentiality of your data.
Is it any specific domain you are trying to call?
You can try adding the <domain-config> tag, if you know which domain you might be using. There is a section on Android documentation, if you want to force the system to use only secure connections here.
But you can try changing some values in that to see if disabling those force items can solve your problem.
Try something like this.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">network.domain.com</domain>
</domain-config>
</network-security-config>
But this is only for Android.

Access Application.properties in network_security_config.xml in Android app

I'm trying to access an IP over HTTP which is defined in application.properties file. How can I access the same in network_security_config without manually changing the file?
Application.properties:
IPv4_1=192.168.19.113
Network Security Config:
<domain includeSubdomains="true">192.168.19.113</domain>
I want to access it as application.properties.IPv4_1 or similar.

Only some people are able to connect to my AWS server

I experience the following situation:
Having an HTTP server written in Go using Gin framework and hosted on AWS, only some people (approximately 20%) are able to connect (everyone is connecting from a React Native axios client using an Android device).
The server is located on ec2-3-131-85-255.us-east-2.compute.amazonaws.com:2302. Every request is POST. For example, to register, users access the /register endpoint, http://ec2-3-131-85-255.us-east-2.compute.amazonaws.com:2302/register.
Any hint would be helpful. Thank you in advance.
Most of Android devices doesn't accept http protocol by default so you have to add https
and add this in your manifest application tag
android:networkSecurityConfig="#xml/network_security_config
and add this file to your android
res/xml/network_security_config
and write this inside this file
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">Your URL</domain>
</domain-config>
<base-config cleartextTrafficPermitted="false"/>
</network-security-config>
Maybe some clients are behind a firewall that doesn't allow http requests to ports different than the default (80 for http or 443 for https). You could try to change the port number on which the server listens for requests to port 80.

Android app can't send request through NGROK on real device

I know there are a lot of similar question but mine is particular.
I have Android app using a NodeJS Back-end on localhost:3000. In order to test my app on my real device (and other friend so far from me), I'm using Ngrok to redirect requests.
Then, on Postman, I can reach the BackEnd through Ngrok. When I run my App on Android Studio emulator, requests sent from the app can reach the BackEnd through Ngrok. On my real device, when I open a browser and send /GET I can also reach BackEnd through Ngrok. But, when I run my app on my real device (I installed the apk-debug generated from Android Studio), the request doesn't have any response and I can't see Ngrok receiving it in the logs, neither the Back-end.
Retrofit retrofit = new Retrofit.Builder()
//.baseUrl("http://10.0.2.2:3000/")
.baseUrl("http://1e2b8b83.ngrok.io/")
.addConverterFactory(GsonConverterFactory.create())
.build();
I found it :
Android P version is blocking requests to HTTP servers. We should either communicate to an HTTPS server or to use a quick fix. The fix then is to create an xml file with the following content :
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">2b8e18b3.ngrok.io</domain>
<domain includeSubdomains="true">localhost</domain>
</domain-config>
then add it in the MANIFEST Application balise as follow :
<application
...
android:networkSecurityConfig="#xml/network_security_config"
... />
Big thanks to the guy who wrote this article :
https://medium.com/mindorks/my-network-requests-are-not-working-in-android-pie-7c7a31e33330

Requests intercepted in Burp - Trustkit SSL pinning implemented

We have implemented SSL pinning in our mobile app using Trustkit for both platform iOS and Android.
Our application is built in React-Native and we followed this tutorial
Let me describe what is happening on each platform
Android:
My network security configuration looks like this
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">www.mydomain.com</domain>
<pin-set>
<pin digest="SHA-256">my_pin_1</pin>
<pin digest="SHA-256">my_pin_2</pin>
</pin-set>
<trustkit-config enforcePinning="true">
</trustkit-config>
</domain-config>
</network-security-config>
I obtained my PKP Hash which used as pin(my_pin_1) from here https://report-uri.com/home/pkp_hash
Rest I have overwritten OkHttpClient to implement Trustkit as per getting started guide of Truskit-Android.
I have tested by setting wrong pins, in that case app stops working.
iOS:
Same way we have implemented Trustkit. In iOS logs it shows SSL pinning is implemented and working.
Problem:
Still our app's network requests are getting intercepted in Burp suite software. Which effectively fails the motive of SSL pinning.
Is there any work around to this?

Categories

Resources