I have a live working restful API returning JSON data created with nodeJS and uploaded to a webServer. Also I'm using react native to build the front end for both android and IOS. The api works fine and returns data as expected when I build debug version of the app in android using 'react-native run-android'. But the app seems to be unable to fetch data from the API while I build the release version in android using 'cd android && ./gradlew assembleRelease'. I can't see any hits in the node server from my app.
I'm using axios for my http requests.
My problem is resolved. As of Google's official documentation, requests to a web Server is possible only with a secured domain with valid SSL certificate.To force HTTP requests from insecure domain or domain with self signed certificate, just add a file in
"yourProject/android/app/src/main/res/xml/network_security_config.xml"
with following contents-
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<!-- For React Native Hot-reloading system -->
<!-- If you are running on a device insert your computer IP -->
<domain includeSubdomains="true">localhost</domain>
<domain includeSubdomains="true">your own domain ip</domain>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</domain-config>
<base-config cleartextTrafficPermitted="false" />
</network-security-config>
and then import the xml file by adding this line to AndroidManifest.xml between application tag-
<application...
android:networkSecurityConfig="#xml/network_security_config"
...>
Adding android:usesCleartextTraffic="true" in android/app/src/main/AndroidManifest.xml works well for me. We may want to add also in the debug folder (sibling of main) for development purpose.
Related
I am simply trying to make a Capacitor (Angular) HTTP GET Request from the Android Virtual Device (API 29) to an API (.NET 6.0) also running on my PC.
In production I would change the API to only use HTTPS but for development I wanted HTTP as I wouldn't expect the AVD to accept the self-signed certificate.
The error I see is simply
was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://10.0.2.2:5409/FromMobile/test'. This request has been blocked; the content must be served over HTTPS.
I assume this is an issue mainly because Capacitor is serving via HTTPS but the call is to a non-secured HTTP api.
I tried with my IP address too but had the same error.
I have already added
android:usesCleartextTraffic="true"
to the manifest.xml file.
I also tried adding the network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">10.0.2.2</domain>
</domain-config>
</network-security-config>
and
android:networkSecurityConfig="#xml/network_security_config"
But no change
UPDATE:
I have also tried installing the certificate on to the phone but this had made no difference
Try to change the Capacitor config:
const config: CapacitorConfig = {
server: {
androidScheme: 'http',
cleartext: true
},
android: {
allowMixedContent: true
},
};
Use this network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
I have a Xamarin.Forms application, for which I am able to debug in cleartext (http) mode, based on the inclusion of a network_security_config.xml file as follows:
<network-security-config>
<base-config cleartextTrafficPermitted="true" />
</network-security-config>
However, if I move the cleartextTrafficPermitted setting inside of a debug-overrides tag as follows, I get the error "Cleartext HTTP traffic to MYSITE is not permitted."
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<base-config cleartextTrafficPermitted="true" />
</debug-overrides>
</network-security-config>
My application is running in debug mode. Even though app debugging was already working and mode was Debug, just in case I tried adding debuggable:true explicitly to the application tag in my AndroidManifest.xml, and have also tried adding (Debuggable = true) as a parameter in the ApplicationAttribute over my main application class declaration, but regardless of how I set the app to be debuggable, the base-config tag seems to be ignored if it's nested inside of a debug-overrides tag. Am I doing something wrong? Is there some other way to allow for HTTP to be permitted in debug mode but not in release mode?
I would suggest you to use domain specific config.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<!-- default config that does not allow plain text traffic -->
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<!-- Specific config for local tests (enable plain text traffic) -->
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">localhost</domain>
</domain-config>
</network-security-config>
The debug-overrides tag, as described in the android documentation, does not take the cleartextTrafficPermitted option.
This likely happens because you are referring to the debug mode of Android and Xamarin doesn't use it in its debug mode.
I cannot fully confirm this, but this is the only possible reason I can think of. As Xamarin doesn't use Java virtual machine on Android to run it likely can't use debug that is intended for this virtual machine.
Changing the [Application] attribute over my Application class as follows allows me to use HTTP during debug compiles only:
#if(DEBUG)
[Application(UsesCleartextTraffic=true)]
#else
[Application]
#endif
android:usesCleartextTraffic="true"
put this line in application tag in manifest file.
I am trying to consume RestApi from asp.net running in (local machine). I followed the exact steps on https://developer.android.com/training/articles/security-config#ConfigCustom in (Configure a custom CA)
but with no success, always getting the same error "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found".
Steps i followed:
1- Exporsted the self-signed CA in .der from (Trusted Root Certification Authorities)
convert it to .pem, i took copy of the .pem and pasted(added it) to raw directory.
2- Created "network_security_config".
<network-security-config>
<domain-config>
<domain includeSubdomains="true">10.0.2.2</domain>
<trust-anchors>
<certificates src="#raw/localhost"/>
</trust-anchors>
</domain-config>
</network-security-config>
3- Modified AndroidManifest:
<application
android:networkSecurityConfig="#xml/network_security_config"
...
</application
Finally: in retrofit baseUrl("https://10.0.2.2:5001/api/")
Do something like this:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">192.168.0.106</domain>
</domain-config>
</network-security-config>
Just checked out with a dummy Spring Boot server and mini Android application.
You can check your open ports(Ubuntu):
sudo ufw app list
And add a new port like(Ubuntu):
sudo ufw allow 8080
I'm not using a Windows machine right now. So I can't tell how to enable it there. But there were actually multiple ways to do that.
As I found in this article.
I want to update my network security config to allow root certificates from the personal store of my android emulator.
but when I do this, I cant build my app anymore. The error message:
Unable to load script. Make sure you're either running a metro server
(run 'react-native-start') or that your bundle 'index.android.bundle'
is packaged correctly for release.
when i remove android:networkSecurityConfig="#xml/network_security_config" its all running fine again..
Does anyone know what to do? or has an other way of making changes to the security config?
okay, finally found it !! :)
React native does need clear text traffic for the build.. so the network security config file should contain: <base-config cleartextTrafficPermitted="true">
so i have a tag in src/debug/AndroidManifest.xml
<application tools:targetApi="28" tools:ignore="GoogleAppIndexingWarning"
android:networkSecurityConfig="#xml/react_native_config" />
and created a file src/debug/res/xml/react_native_config.xml with:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="user"/>
<certificates src="system"/>
</trust-anchors>
</base-config>
</network-security-config>
I am trying to do a debug session on an App (Android) by monitoring the outbound/inbound HTTP traffic on Andy emulator.For SSL traffic I get following error :
Failure: SSLHandshake: Unsupported curveId: 29
In the past I was not receiving above error using that app .Could you guys tell me what this error means and how to fix it?Is there any problem within the app that causes to receive SSL error? Thanks
See the Android section in their documentation https://www.charlesproxy.com/documentation/using-charles/ssl-certificates
You need to add a network security config file for Android N and higher devices.
From Android N+, we have to add the Certificate in your app in network_security_config.xml and manifest.xml in order to intercept the HTTPS Traffic.
network_security_config.xml
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
manifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="#xml/network_security_config" ... >
...
</application>
</manifest>
Here is the quick tutorial: https://docs.proxyman.io/debug-devices/android-device