Google Play Pre-launch Reports Security Vulnerability Which Says Cleartext traffic allowed for all domains

Asked 2/5, 2019 at 11:6 Answered 10/10, 2019 at 9:42

Solved android google-play-console android-security android-vitals

Google Play Pre-launch Reports Security Vulnerability Which Says that

Your app's Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users.

Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains. Learn more

network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system"/>
        </trust-anchors>
    </base-config>

    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">127.0.0.1</domain>
    </domain-config>
</network-security-config>

AndroidManifest.xml

 <application
        android:name="com.example.MyActivity"
        android:allowBackup="false"
        tools:replace="allowBackup"
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name"
        android:largeHeap="true"
        android:theme="@style/AppTheme"
        android:hardwareAccelerated="true"
        android:resizeableActivity="false"
        android:networkSecurityConfig="@xml/network_security_config">

My Doubt is if my give my own domain name domain-config as cleartextTrafficPermitted="true" for example

<domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">http://my-domain.com</domain>
</domain-config>

Does it clears my Security Vulnerability issue?
I need know wheather if i need to set domain-config for my third party ads networks?

Harts answered 2/5, 2019 at 11:6 Comment(1)

Check this my answer #54414787 – Angelo 10/10, 2019 at 9:48

Below the configuration clears Google Play Security Vulnerability

Note:

we have use only https urls in android pie
To use http in android pie we need to include the domain name in domain-config

<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system"/>
    </trust-anchors>
</base-config>

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">myowndomain.com</domain>
</domain-config>

Harts answered 10/5, 2019 at 14:10 Comment(1)

could you please confirm that to me, I'm using Facebook Ads, and instead of mywondomain.com they use 127.0.0.1, what should I do in this case? – Gyrostabilizer 17/3, 2022 at 20:2

-1

You have to add an attribute of android:usesCleartextTraffic="true" on application tag in AndroidManifes.xml file.

And also add this.

<uses-library android:name="org.apache.http.legacy" android:required="false"/>

Angelo answered 10/10, 2019 at 9:42 Comment(1)

This should be a comment, not an answer. – Unhandsome 10/10, 2019 at 9:44

Recommended topics

Hot tags