Android P without TLS: network-security-config: cleartextTrafficPermitted not possible for IP (only domain)

Asked 21/6, 2018 at 6:57 Answered 16/3, 2023 at 11:18

I'm trying to connect to an embedded device with an HTTP-server which works fine on android < P (until I set targetSdkVersion 28) because there was a change that Network TLS enabled by default.

There is a way to Opt out of cleartext traffic but it seems that this is only possible for domains and not IP addresses.

I've tried to set a android:networkSecurityConfig in the Manifest with the IP instead of the domain but this didn't work:

<network-security-config>
  <domain-config cleartextTrafficPermitted="false">
    <domain includeSubdomains="true">172.16.33.1</domain>
  </domain-config>
</network-security-config>

Setting this as a <base-config cleartextTrafficPermitted="false"> does not work either.

So it seems that there is no way to get non-TLS communication working when not having a domain. But because this is an embedded device in the local network we do not have a domain (we only know the IP).

This seems like a major problem for all kind of embedded devices which would not be able to communicate anymore. Plus, "new apps and updates to existing apps require to target API level [28 in November 2020]" (starting in November 2018 with API 26 and advancing each year).

Any ideas how to make this possible?

Colure answered 21/6, 2018 at 6:57 Comment(3)

If you want to enable non-TLS communication, then you need to have cleartextTrafficPermitted as true, not false. – Granophyre 21/6, 2018 at 7:11

Arg, no way - too easy. My fault. Of course it needs to be true. It's working then with <base-config cleartextTrafficPermitted="true"> for IP addresses. THX! – Colure 21/6, 2018 at 8:20

Can you allow clearText for all URLs or do you have to specify each URL? – Filipe 31/5, 2019 at 23:33

It's working with <base-config cleartextTrafficPermitted="true"> for IP addresses.

(Of course it also needs to be true not false).

Colure answered 21/6, 2018 at 8:21 Comment(6)

where does this go? inside domain-config or just inside network-security-config? – Travax 29/5, 2019 at 22:44

developer.android.com/training/articles/… – Travax 29/5, 2019 at 22:49

Can you allow all URLs or do you have to specify each URL? – Filipe 31/5, 2019 at 23:9

@KrisB See my answer if you still need it – Gunning 11/7, 2019 at 6:32

This works, yet I think it's more a workaround than a solution. This <domain-config cleartextTrafficPermitted="true"> should do the work. If not the problem is somewhere else. – Jessee 31/3, 2022 at 9:4

Is it possible to specify an IP range instead of a single IP address? – Gaidano 16/3, 2023 at 11:57

I know that this question has been answered and accepted, but if anyone needs to allow all cleartext traffic in the app (for all URLS), then the following line can be added to the application tag:

<application
    ...
    android:usesCleartextTraffic="true">
    ....
</application>

If your minSdkVersion is below 23, where this attribute was introduced, Android Studio will tell you:

Attribute usesCleartextTraffic is only used in API level 23 and higher (current min is ...)

However, as far as I have experienced, the "android:usesCleartextTraffic" attribute will simply be ignored on SDK's below 23.

This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present (link)

Gunning answered 11/7, 2019 at 6:30 Comment(0)

For me this answer alone didn't worked. I have to register this config in the manifest file too which is unknown for a hybrid developer. Below are my fixes.

network_security_config

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">172.16.33.1</domain> <!-- Debug port -->
    <domain includeSubdomains="true">abc.com</domain>
  </domain-config>
</network-security-config>

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
       
    </application>
</manifest>

Rana answered 28/10, 2020 at 15:4 Comment(1)

Sure you need to reference your network_security_config in the manifest. This was clear to me when I asked this question and is also mentioned at the very beginning of the documentation which I linked in my post (developer.android.com/training/articles/security-config). – Colure 29/10, 2020 at 9:4

@hardysim answer is working, here is quick example

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true"></base-config>
</network-security-config>

Papillote answered 2/2, 2020 at 10:37 Comment(0)

You can configure both domain and base:

    <?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:tools="http://schemas.android.com/tools">
    <base-config
        cleartextTrafficPermitted="true"
        tools:ignore="InsecureBaseConfiguration" />
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">localhost</domain>
        <domain includeSubdomains="true">10.0.2.2</domain>
        <domain includeSubdomains="true">127.0.0.1</domain>
    </domain-config>
</network-security-config>

And in the Manifest:

<application
   ...
   android:networkSecurityConfig="@xml/network_security_config">
   ...
</application>

Lanie answered 16/3, 2023 at 11:18 Comment(0)

Recommended topics

Hot tags