Permitting cleartext HTTP traffic from Android App in very limited circumstances

cleartext http traffic to not permitted xamarin
cleartext http traffic meaning
cleartext http traffic not permitted ionic
unity android cleartext traffic
cleartext http traffic to i imgur com not permitted
cleartext http traffic to www zappycode com not permitted
cleartext http traffic to httpbin org not permitted
cleartext http traffic to pbs twimg com not permitted

I have read Android 8: Cleartext HTTP traffic not permitted, but none of the answers appear to allow me to do what I want.

I have an Android application where another client can identify itself with a certificate. The application wants to verify that certificate. Part of verifying the certificate is fetching the certificate revocation list (CRL) from the certificate issuer. The distribution point(s) for the CRL is(are) listed in the certificate, and is inevitably an HTTP URL (the CRL itself is signed by the issuer so there is no security issue, and if it was an HTTPS URL, one would want to verify the certificate protecting the CRL distribution point, and check if it had been revoked ...)

Possible solutions, and why they don't work for me:

  • Don't worry about it - let the TLS library worry about validating the certificate. Unfortunately, there is no direct TLS connection between the two clients; it is all mediated through a server (which is connected to by TLS).
  • Create network_security_config.xml which lists the domains to which HTTP is allowed. Sadly, I don't know the URLs when I build the application - it depends on what the CA decides to put in their certificates.
  • Put android:usesCleartextTraffic="true" in the manifest. This means that any traffic can be HTTP, and I would rather avoid that if possible. (As an example, communication with the server absolutely must be HTTPS, and I would like an error if I do HTTP by accident.)

Is there any way for the code to say "this connection is allowed to be HTTP" (but default to HTTPS only)?


If you're using OkHttp, you can construct a client as such:

OkHttpClient client = new OkHttpClient.Builder() 
.connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS))
.build();

This will only allow connections through HTTPS. So then, you can use your third option (android:usesCleartextTraffic="true") and when you make a cleartext connection through this client, it will fail.

Finally, you can create a standard OkHttp client:

OkHttpClient client = new OkHttpClient.Builder().build()

when you want to use the cleartext connection.

EDIT: Using HttpUrlConnection, you can simply check if the returned connection is a HttpsUrlConnection, like:

try {
    URL my_url = new URL(path);
    HttpUrlConnection urlConnection = (HttpURLConnection) my_url.openConnection();
    if(!(urlConnection instanceof HttpsURLConnection)) {
        // cleartext connection, throw error
        throw new NotHttpsException();
    }
    // the connection is secure, do normal stuff here
    urlConnection.setRequestMethod("POST");
    urlConnection.setConnectTimeout(1500);
    urlConnection.setReadTimeout(1500);
    result = IOUtil.readFully(urlConnection.getInputStream());
} catch(Exception e) {
    e.printStackTrace()
} finally {
    if(urlConnection != null) urlConnection.disconnect();
}

Permitting cleartext HTTP traffic from Android App in very , Permitting cleartext HTTP traffic from Android App in very limited circumstances - android. This flag is honored on a best effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them. For example, there's no expectation that the Socket API will honor this flag because it cannot determine whether its traffic is in cleartext.


The documentation on NetworkSecurityPolicy.isCleartextTrafficPermitted() says

This flag is honored on a best effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them. For example, there's no expectation that the Socket API will honor this flag because it cannot determine whether its traffic is in cleartext.

So maybe this is an option for you: fetch the CRL using a Socket. There is a post by Daniel Nugent describing how to set up a simple TCP client

Permitting cleartext HTTP traffic from Android , Permitting cleartext HTTP traffic from Android App in very limited circumstances. I have read Android 8: Cleartext HTTP traffic not permitted, but  This flag is honored on a best effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them. For example, there's no expectation that the Socket API will honor this flag because it cannot determine whether its traffic is in cleartext.


Tha app has a TLS connection with the server. You can ask the server to hand off those CRL urls to you (It is handing off the certificate in the first place right?). It could even do it before hand and provide the Certificate together with the CRLs. In this way you get the CRLs without loosing the https lock nor having to make exceptions.

Android 9: Cleartext HTTP traffic not permitted - IMStudio, xml version="1.0" encoding="utf-8"?> <manifest > <uses-permission android:​name="android.permission.INTERNET" /> <application . Permitting cleartext HTTP traffic from Android App in very limited circumstances I have read Android 8: Cleartext HTTP traffic not permitted , but none of the answers appear to allow me to do what I want.


android - Cleartext http traffic not permitted, Cleartext http traffic to server.com not permitted. 4. Permitting cleartext HTTP traffic from Android App in very limited circumstances. Hot Network Questions What  Cannot send data to the server java.net.UnknownServiceException: CLEARTEXT communication to [HOST] not permitted by network security policy. The connection works fine on Android 7 and below. The cause of this problem is that a special security policy is required if the app connects to the server via HTTP instead of HTTPS protocol.


http traffic android, Here is the TCP client code: import android.util.Log; import java.io. first of all give internet permission to your app in android manifest <uses-permission  Cleartext is disabled by default on Android 9 (Pie, API 28) devices when your application is set to target and compile against Android 9. On the project’s properties you will find the SDK you are compiling against under Application: Inside of your Android Manifest options you will find the Target Framework that can be set to Android 9: Network Security Config. To configure security options, you will create a new xml file under Resources/xml named network_security_config.xml.


Android P, Fortunately, our dear Android team at Google thought about that situation, so they made available small workaround. You don't have to use  Network security configuration allows an app to permit cleartext traffic from a certain domain. So no need to put extra effort by declaring android:usesCleartextTraffic="true" in the application tag of your manifest file. It will be resolved automatically after upgrading the RN Version.