How to allow all Network connection types HTTP and HTTPS in Android (9) Pie?

android

network-security

https

http

byAlex Kataev·Oct 3, 2024

Here's how to rapidly allow HTTP and HTTPS on Android 9 by modifying your app's network security config:

Formulate res/xml/network_security_config.xml:

<network-security-config>
    <!-- Notice: HTTP, not NHTSA. Ticket rescinded. 🚔-->
    <base-config cleartextTrafficPermitted="true" />
</network-security-config>

Incorporate the link in AndroidManifest.xml:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ...>
    ...
</application>

By setting cleartextTrafficPermitted="true", you're instructing your code to allow HTTP connections. Exercise caution; HTTPS is your best friend for secure data transactions.

Unwrapping network security concepts

Security vs flexibility

While allowing both HTTP and HTTPS is essential for some apps, remember this could invite a few uninvited guests. HTTPS should be your go-to protocol. Grant HTTP permission only to the domains you can vouch for and comprehend the security implications involved.

Changes in default behavior

In the savannah of Android Pie, the usesCleartextTraffic attribute defaults to false. This means apps targeting API level 28+ shoo away cleartext HTTP traffic without explicit permission. On the flip side, apps targeting API level 27 or lower are a bit more welcoming with true as their default.

Fortifying specific domains

You can have military-grade security with network_security_config.xml, where secure domain configurations can be specified. Let's say you trust example.com.

<domain-config cleartextTrafficPermitted="true">
    <!-- trust me, it's us - example.com-->
    <domain includeSubdomains="true">example.com</domain>
</domain-config>

React Native, you too!

Now, could we leave React-Native out of the fun? Modify your react_native_config.xml and get your app's network requests to follow the security protocol you've designed.

Developer pro tips

Debug prudently

Never release without prudent debugging and testing. Ensure your app behaves well and doesn't trigger any security red flags.

Dealing with legacy

Occasionally, you may have to make a truce with older HTTP APIs. In such cases, keep this handy:

<!-- Never too late for legacy libraries, eh? -->
<uses-library android:name="org.apache.http.legacy" android:required="false"/>

Modern alternatives like OkHttp or Retrofit are steadfast companions for newer projects.

Localhost and IPs

Confirm your app plays nice with localhosts and specific IPs. Especially in development environments where some security drills can be bypassed.

Research, rinse and repeat

When you decide to bypass default TLS settings, research is your magic potion. Bear in mind, cleartext traffic attracts eavesdroppers and thus heightens vulnerability.