Introduction
In modern mobile app development, secure network communication is crucial. Starting with Android 9 (API level 28), cleartext traffic (HTTP) is disabled by default to enhance security. However, developers may need to configure their apps to handle HTTP traffic in specific scenarios, such as when dealing with legacy systems or during development on non-HTTPS servers. This tutorial will guide you through configuring your Android app to manage cleartext traffic effectively.
Understanding Cleartext Traffic
Cleartext traffic refers to network communication that occurs over the HTTP protocol, which is unencrypted and therefore vulnerable to eavesdropping. To protect user data, Android enforces a default policy disallowing cleartext traffic starting from API level 28. This means any attempt to communicate over HTTP will result in an exception unless explicitly permitted.
Configuring Network Security
To manage network security settings in your Android app, you can use the Network Security Configuration feature introduced in Android 7 (API level 24). This allows you to specify security policies for different domains and protocols directly within your XML resources.
Option 1: Use HTTPS
The most secure option is to ensure all network communication occurs over HTTPS. Modify your URLs to begin with https:// instead of http://. This not only adheres to Android’s default security policy but also protects user data in transit.
Option 2: Allow Cleartext for Specific Domains
If you must use HTTP, configure your app to allow cleartext traffic for specific domains. Create a file named network_security_config.xml in the res/xml directory with the following content:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">api.example.com</domain>
</domain-config>
</network-security-config>
Then, reference this configuration in your AndroidManifest.xml:
<manifest ...>
<application
android:networkSecurityConfig="@xml/network_security_config"
... >
...
</application>
</manifest>
Option 3: Allow Cleartext Globally
If you need to allow cleartext traffic across all domains, modify your AndroidManifest.xml as follows:
<manifest ...>
<uses-permission android:name="android.permission.INTERNET" />
<application
android:usesCleartextTraffic="true"
... >
...
</application>
</manifest>
Option 4: Adjust targetSandboxVersion
If your app targets Android 8 or higher, ensure that android:targetSandboxVersion is set to 1 in the manifest. This setting affects the default behavior of cleartext traffic permissions:
<manifest android:targetSandboxVersion="1">
<uses-permission android:name="android.permission.INTERNET" />
...
</manifest>
Option 5: Environment-Specific Configuration
For development flexibility, configure your app to allow cleartext traffic only in debug mode while enforcing HTTPS in production:
In build.gradle:
// Debug build type
debug {
manifestPlaceholders = [usesCleartextTraffic:"true"]
}
// Release build type
release {
manifestPlaceholders = [usesCleartextTraffic:"false"]
}
In AndroidManifest.xml:
<application
android:usesCleartextTraffic="${usesCleartextTraffic}"
... >
...
</application>
Overriding Configuration for Different Build Types
To maintain different configurations for debug, release, and other build types, use source sets. Create a debug directory under src with its own AndroidManifest.xml to override specific settings:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.yourappname">
<application
android:usesCleartextTraffic="true"
... >
</application>
</manifest>
This approach ensures that your production app remains secure while allowing flexibility during development.
Best Practices
- Default to HTTPS: Always prefer HTTPS for network communication to ensure data security.
- Limit Cleartext Use: If HTTP is necessary, restrict cleartext traffic to specific domains or build types.
- Regularly Review Security Configurations: As your app evolves, periodically review and update your network security configurations.
By following these guidelines, you can effectively manage network security in your Android apps while balancing the needs of development and production environments.