We send an HTTP request to a device on a local network (192.168.1.1) in an Android app. The device only accepts HTTP not https requests. It was working until the Android system update yesterday (T837VVRU1BSC3). Now cleartext traffic is rejected.
I have tried the following without success:
android:usesCleartextTraffic="true"
adding android:networkSecurityConfig="#xml/network_security_config" and
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">192.168.1.1</domain>
</domain-config>
</network-security-config>
changing the xml file to:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
These are the only suggested solutions I can find to permit cleartext traffic. Does anyone know of other solutions?
Add the below line in the manifest in the application tag where icon, label, theme is defined
android:usesCleartextTraffic="true"
Add the "android:usesCleartextTraffic="true" in the AndroidManifest.xml is okey
<application
android:allowBackup="true"
android:icon="#mipmap/ic_launcher"
android:label="#string/app_name"
android:supportsRtl="true"
android:theme="#style/Theme.AppCompat.Light.NoActionBar"
android:usesCleartextTraffic="true">
Related
I was trying to communicate with my server using Axios. I checked it worked well in the same URL, same body data in Postman. However, in most conditions, the application doesn't make an HTTP call - It only works when I turn on network inspector in react-native-debugger with debug mode. make a bunch of error messages like below.
Error: Network Error at createError
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:115372:17) at EventTarget.handleError
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:115282:16) at EventTarget.dispatchEvent
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:33554:27) at EventTarget.setReadyState
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:32692:20) at EventTarget.__didCompleteResponse
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:32500:16) at http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:32616:47 at RCTDeviceEventEmitter.emit
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:2310:37) at MessageQueue.__callFunction
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:3348:31) at http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:3076:17 at MessageQueue.__guard
(http://localhost:8081/index.bundle?platform=android&dev=true&minify=false&app=com.wheelie&modulesOnly=false&runModule=true:3302:13)
I read the article that android network policy may be the reason. I changed the AndroidManifest.xml below. Then I checked there is http:// or https:// in a domain, and there was no problem with the domain. Finally, I added network_security_config.xml, but it doesn't make a change.
I use my physical android phone(galaxy A50, android 11) instead of AVD. targetSdkVersion and complieSdkVersion are also API 30, minSdkVersion is 22.
postLogIn
export function postLogIn(authorizationInfo: WheelieAuthorizationInfo) {
return axios.post<{
statusCode: number;
token: string;
}>(`${domain}/account/login`, authorizationInfo);
}
app/src/debug/AndrodiManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools">
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<application
android:usesCleartextTraffic="true"
android:networkSecurityConfig="#xml/network_security_config"
tools:targetApi="28"
tools:ignore="GoogleAppIndexingWarning">
<activity android:name="com.facebook.react.devsupport.DevSettingsActivity" />
</application>
</manifest>
network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">10.0.2.2</domain>
</domain-config>
</network-security-config>
I solved this problem two days ago by adding network_security_config.xml and network certificates(*.pem) for my backend API server.
References: Andorid Dev Network Security Configuration
First, add a custom networking security setting in AndroidManifest.xml
...
<application
...
android:networkSecurityConfig="#xml/network_security_config">
Second, make ./android/app/src/main/res/xml/network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">pedalers.net</domain>
<trust-anchors>
<certificates src="#raw/my_ca"/>
</trust-anchors>
</domain-config>
<domain-config cleartextTrafficPermitted="true">
<!-- Without localhost setting, it's unable to connect metro with app. -->
<domain includeSubdomains="true">127.0.0.1</domain>
<!-- For physical phone, 10.0.0.1 is the address connect to computer -->
<domain includeSubdomains="true">10.0.0.1</domain>
<!-- For AVD, 10.0.2.2 is the address connect to computer -->
<domain includeSubdomains="true">localhost</domain>
</domain-config>
</network-security-config>
Third, add the self-signed or non-public CA certificate, in PEM or DER format, to res/raw/my_ca.
my program takes an URL from the user, so it may make request to any website of the internet.
I'm trying to make this possible, I looked up all the answers about "Android HTTP Cleartext" errors, and made this, but it still doesn't let me connect my test local PHP server, what am I missing here?
<uses-permission android:name="android.permission.INTERNET" />
...
<application
...
android:usesCleartextTraffic="true"
android:networkSecurityConfig="#xml/network_security_config"
tools:ignore="UnusedAttribute"
My security config:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">api.example.com</domain>
</domain-config>
</network-security-config>
Thanks!
Try changing your network_security_config.xml as follows:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true"></base-config>
</network-security-config>
Note: this is a followup question.
I'm trying to allow http traffic in the android manifest of a react native application.
As explained here, I created a xml file:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">192.168.1.61</domain>
</domain-config>
</network-security-config>
and referenced it in the manifest, in the element :
android:networkSecurityConfig="#xml/network_security_config"
At compile time, I have the following error:
Manifest merger failed : Attribute application#networkSecurityConfig value=(#xml/react_native_config) from AndroidManifest.xml:17:7-67
is also present at AndroidManifest.xml:17:7-67 value=(#xml/network_security_config).
Suggestion: add 'tools:replace="android:networkSecurityConfig"' to element at AndroidManifest.xml:7:5-138 to override.
I tried the suggested workaround but the error is still here.
What is the correct way to achieve what I want?
I have the same issue.
For react native, i found that it already has react_native_config.xml at project/android/app/src/debug/res/xml/react_native_config.xml
just add your domain in react_native_config.xml example
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">example.com</domain>
<domain includeSubdomains="false">localhost</domain>
<domain includeSubdomains="false">10.0.2.2</domain>
<domain includeSubdomains="false">10.0.3.2</domain>
</domain-config>
</network-security-config>
<application
xmlns:tools="http://schemas.android.com/tools"
tools:replace="android:networkSecurityConfig"
android:networkSecurityConfig="#xml/network_security_config"
android:name=".MainApplication"
android:label="#string/app_name"
android:icon="#mipmap/ic_launcher"
android:roundIcon="#mipmap/ic_launcher_round"
android:allowBackup="false"
android:theme="#style/AppTheme">
Google Play Pre-launch Reports Security Vulnerability Which Says that
Your app's Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users.
Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains. Learn more
network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system"/>
</trust-anchors>
</base-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">127.0.0.1</domain>
</domain-config>
</network-security-config>
AndroidManifest.xml
<application
android:name="com.example.MyActivity"
android:allowBackup="false"
tools:replace="allowBackup"
android:icon="#drawable/ic_launcher"
android:label="#string/app_name"
android:largeHeap="true"
android:theme="#style/AppTheme"
android:hardwareAccelerated="true"
android:resizeableActivity="false"
android:networkSecurityConfig="#xml/network_security_config">
My Doubt is if my give my own domain name domain-config as cleartextTrafficPermitted="true" for example
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">http://my-domain.com</domain>
</domain-config>
Does it clears my Security Vulnerability issue?
I need know wheather if i need to set domain-config for my third party ads
networks?
Below the configuration clears Google Play Security Vulnerability
Note:
we have use only https urls in android pie
To use http in android pie we need to include
the domain name in domain-config
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system"/>
</trust-anchors>
</base-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">myowndomain.com</domain>
</domain-config>
You have to add an attribute of android:usesCleartextTraffic="true" on application tag in AndroidManifes.xml file.
And also add this.
<uses-library android:name="org.apache.http.legacy" android:required="false"/>
I am creating my web app using phonegap and it works fine but I come to know that it is not working in android 9 pie, it shows web page not found with the below message
net::ERR CLEARTEXT_NOT_PERMITTED
I tried to rectify it by adding the below code in my network-security-config.xml file
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
And also added the below lines in AndroidManifest.xml
<manifest... >
<application
android:icon="#drawable/icon"
android:label="#string/app_name"
android:networkSecurityConfig="#xml/network_security_config"
android:usesCleartextTraffic="true">
</application>
</manifest>
But I do not get it right. Can anyone help me with the solution ? Thanks in advance.
This simple code works for me:
network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true" />
</network-security-config>
And in AndroidManifest file:
android:networkSecurityConfig="#xml/network_security_config">