How to allow all Network connection types HTTP and HTTPS in Android (9) Pie?
Here's how to rapidly allow HTTP and HTTPS on Android 9 by modifying your app's network security config:
- Formulate
res/xml/network_security_config.xml
:
- Incorporate the link in
AndroidManifest.xml
:
By setting cleartextTrafficPermitted="true"
, you're instructing your code to allow HTTP connections. Exercise caution; HTTPS is your best friend for secure data transactions.
Unwrapping network security concepts
Security vs flexibility
While allowing both HTTP and HTTPS is essential for some apps, remember this could invite a few uninvited guests. HTTPS should be your go-to protocol. Grant HTTP permission only to the domains you can vouch for and comprehend the security implications involved.
Changes in default behavior
In the savannah of Android Pie, the usesCleartextTraffic
attribute defaults to false
. This means apps targeting API level 28+ shoo away cleartext HTTP traffic without explicit permission. On the flip side, apps targeting API level 27 or lower are a bit more welcoming with true
as their default.
Fortifying specific domains
You can have military-grade security with network_security_config.xml
, where secure domain configurations can be specified. Let's say you trust example.com
.
React Native, you too!
Now, could we leave React-Native out of the fun? Modify your react_native_config.xml
and get your app's network requests to follow the security protocol you've designed.
Developer pro tips
Debug prudently
Never release without prudent debugging and testing. Ensure your app behaves well and doesn't trigger any security red flags.
Dealing with legacy
Occasionally, you may have to make a truce with older HTTP APIs. In such cases, keep this handy:
Modern alternatives like OkHttp
or Retrofit
are steadfast companions for newer projects.
Localhost and IPs
Confirm your app plays nice with localhosts and specific IPs. Especially in development environments where some security drills can be bypassed.
Research, rinse and repeat
When you decide to bypass default TLS settings, research is your magic potion. Bear in mind, cleartext traffic attracts eavesdroppers and thus heightens vulnerability.
Catering to diverse needs
If your app demands flexibility and operates in environments with less than ideal infrastructure, offering both HTTP and HTTPS is a plausible course.
Was this article helpful?