Android 8: Cleartext HTTP traffic not permitted

Question

I had reports from users with Android 8 that my app (that uses back-end feed) does not show content. After investigation I found following Exception happening on Android 8:

08-29 12:03:11.246 11285-11285/ E/: [12:03:11.245, main]: Exception: IOException java.io.IOException: Cleartext HTTP traffic to * not permitted
at com.android.okhttp.HttpHandler$CleartextURLFilter.checkURLPermitted(HttpHandler.java:115)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:458)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
at com.deiw.android.generic.tasks.AbstractHttpAsyncTask.doConnection(AbstractHttpAsyncTask.java:207)
at com.deiw.android.generic.tasks.AbstractHttpAsyncTask.extendedDoInBackground(AbstractHttpAsyncTask.java:102)
at com.deiw.android.generic.tasks.AbstractAsyncTask.doInBackground(AbstractAsyncTask.java:88)
at android.os.AsyncTask$2.call(AsyncTask.java:333)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
at java.lang.Thread.run(Thread.java:764)

(I've removed package name, URL and other possible identifiers)

On Android 7 and lower everything works, I do not set android:usesCleartextTraffic in Manifest (and setting it to true does not help, that is the default value anyway), neither do I use Network Security Information. If I call NetworkSecurityPolicy.getInstance().isCleartextTrafficPermitted(), it returns false for Android 8, true for older version, using the same apk file. I tried to find some mention of this on Google info about Android O, but without success.

Answer 1

I came accross this problem while using Capacitor JS with Axios and the solution offered here is solves only one part of it, in case anyone else that uses capacitor comes across this issue here is what worked for me:

1. You add this in you Android manifest on the application tag:

   android:usesCleartextTraffic="true"

2. You need to add this to your capacitor config:

   server: { androidScheme: 'http', url: ['*'] }

Note: The url can be a fixed one in my case I have dynamic urls so that is why I allow every URL.

I hope this helps everyone that is facing this issue.

Answer 2

The issue likely arises because cleartext (non-HTTPS) HTTP traffic is blocked by default in Android 9 (Pie) and later. To resolve this, update your AndroidManifest.xml to allow cleartext traffic for specific domains by adding:

<application
    android:usesCleartextTraffic="true">
   android:networkSecurityConfig="@xml/network_security_config"
</application>

Create res/xml/network_security_config.xml:

<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">yourdomain.com</domain>
    </domain-config>
</network-security-config>

Answer 3

After trying a lot of alternative solutions finally it came to work with the following change in .NET 8 Maui I have already answered this question in the following thread as well https://stackoverflow.com/a/78321629/10411872

Add android:usesCleartextTraffic="true" text to the Application tag under AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
    <application ... android:usesCleartextTraffic="true"></application>
</manifest>

Answer 4

I would suggest to add both dev and prod network configs:

add res/xml/network_security_config_dev.xml

<?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
    <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">10.0.2.2</domain>
 </domain-config>
</network-security-config>

addres/xml/network_security_config_prod.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config cleartextTrafficPermitted="false">
    <domain includeSubdomains="true">yourdomain.com</domain>
  </domain-config>
</network-security-config>

under Gradle Scripts (in android studio), find build.gradle (android.app) and look for buildTypes: release and debug (create if not exists):

buildTypes {

release {
    minifyEnabled false
    manifestPlaceholders.securityConfig = "@xml/network_security_config_prod"
 }

 debug {
    manifestPlaceholders.securityConfig = "@xml/network_security_config_dev"
 }

}

in AndroidManifest.xml use securityConfig placeholder as following (which was defined in build.gradle):

<application
    android:allowBackup="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:roundIcon="@mipmap/ic_launcher_round"
    android:supportsRtl="true"
    android:networkSecurityConfig="${securityConfig}"   <------- here

Answer 5

According to Network security configuration -

Starting with Android 9 (API level 28), cleartext support is disabled by default.

Also have a look at Android M and the war on cleartext traffic

Codelabs explanation from Google

Option 1 -

First try hitting the URL with https:// instead of http://

Option 2 -

Create file res/xml/network_security_config.xml -

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">api.example.com(to be adjusted)</domain>
    </domain-config>
</network-security-config>

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:networkSecurityConfig="@xml/network_security_config"
        ...>
        ...
    </application>
</manifest>

Option 3 -

android:usesCleartextTraffic Doc

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="true"
        ...>
        ...
    </application>
</manifest>

Also as @david.s' answer pointed out android:targetSandboxVersion can be a problem too -

According to Manifest Docs -

android:targetSandboxVersion

The target sandbox for this app to use. The higher the sandbox version number, the higher the level of security. Its default value is 1; you can also set it to 2. Setting this attribute to 2 switches the app to a different SELinux sandbox. The following restrictions apply to a level 2 sandbox:

• The default value of usesCleartextTraffic in the Network Security Config is false.
• Uid sharing is not permitted.

So Option 4 -

If you have android:targetSandboxVersion in <manifest> then reduce it to 1

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest android:targetSandboxVersion="1">
    <uses-permission android:name="android.permission.INTERNET" />
    ...
</manifest>

Answer 6

Check that the domain is the right one in your network_security_config.xml.

In my case I used a command --external with ionic cordova which changed the domain.

SOLUTION 1

Remove the --external

SOLUTION 2

Edit your domain in network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">
       YOUR_DOMAIN (ex: localhost)
    </domain>
</domain-config>
</network-security-config>

Answer 7

Ok, that's ⇒⇒ NOT ⇐⇐ the thousands repeat of add it to your Manifest, but an hint which based on this, but give you additional Benefit (and maybe some Background Info).

---

Following solution allow you to set the protocol (HTTP / HTTPS) per ENVIRONMENT.

This way you are able to use http for your DEV-Environment, and https for your PRODUCTION-Environment, without the need to change it all the time! And this is needed, because generally you don't have an https-certificate for your local or dev environment, but it's a MUST-HAVE for production (and maybe for staging) environments.

---

Android has a kind of overwriting functionality for the src-Directory.

By default, you have

/app/src/main

But you can add additional directories to overwrite your AndroidManifest.xml. Here is how it works:

• Create the Directory /app/src/debug
• Inside create the AndroidManifest.xml

Inside of this File, you don't have to put all the Rules inside, but only the ones you like to overwrite from your /app/src/main/AndroidManifest.xml

Here an Example how it looks like for the requested CLEARTEXT-Permission:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
          package="com.yourappname">

    <application
            android:usesCleartextTraffic="true"
            android:name=".MainApplication"
            android:label="@string/app_name"
            android:icon="@mipmap/ic_launcher"
            android:allowBackup="false"
            android:theme="@style/AppTheme">
    </application>

</manifest>

With this knowledge it's now easy as 1,2,3 for you to overload your Permissions depending on your debug | main | release Enviroment.

The big benefit on it... you don't have debug-stuff in your production-Manifest and you keep an straight and easy maintainable structure

Answer 8

We were faced with a very similar problem and it was a pain to figure it out. For those unlucky souls who will have to deal with this, here is what we did:

The ionic app was working fine in the browser (Chrome, and Firefox), was deployed to Apple’s App store, and was communicating fine with our API on AWS. Then we went for the Android build. In the emulator, our https API request would not even get sent out. On a physical device, https requests would not get sent out either (after deploying to “internal testing” on Google Play)

Ran our app in the emulator Opened chrome, typed “chrome://inspect”, waited, clicked link to emulator instance, and was able to look at the network tab. The requests would quickly cycle from (pending) to (cancelled), without being sent out to the server.

Looked all over stackoverflow and the main advice was to disable https using the cleartextPermitted workaournd which is a terrible idea.

The other common advice is to use native http, but what’s the point of using ionic if we have to have 2 code bases, and I wanted to keep my http interceptors.

Added a network_security_config.xml file (which is probably not strictly necessary, but it removes a compilation warning in Android Studio.)

Checked the SSL certificate on our servers by clicking on the lock icon in a browser. Looked fine. (perhaps because it really wasn’t, but I there was a manual override that I had added long ago and forgotten about). lots of other tail-chasing…

Finally used sslshopper’s tool to verify our SSL cert: https://www.sslshopper.com/ssl-checker.html

Turns out that while our cert was ok, the chain of certs was not. This will show up as a red broken arrow in their diagnostics.

Basically, you have to take your SSL cert and create a bundle, by appending the SSL certs of the organization that provided your cert, and appending any other SSL certs that certify the certifier, until the whole chain is clean. We had used a provided bundle, but it was not going sufficiently up through the chain.

Fix the SSL chain:

cat your-purchased-cert-site-com.crt > your-site.bundle.crt
cat other-org-cert-sectigoRSA-bla-bla-bla.crt >> your-site.bundle.crt
cat another-org-cert-USERTrust-bla-bla-bla.crt >> your-site.bundle.crt
cat some-final-high-level-org-cert.crt >> your-site.bundle.crt

Then, in our case, for nginx on ubuntu:

put your-site.bundle.crt where it can be used. (in our case, /var/ssl)

update /etc/nginx/sites-available/site-name.conf:
ssl_certificate /var/ssl/your-site.bundle.crt
ssl_certificate /var/ssl/your-private-key.key

and restart your web server (in our case nginx: sudo systemctl restart nginx)

check it with sslshopper’s checker, you should see green arrows all the way.

started our emulator, and the API calls went right through.

Answer 9

i had same issue in my simple webview app because my url was http:// but when u turn it to https:// the error got solved.

Answer 10

videoView can't open this video Online video

Create file res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

New in the AndroidManifest.xml file under application:

android:networkSecurityConfig="@xml/network_security_config"

https://techprogrammingideas.blogspot.com/2021/02/android-code-for-displaying-video-with.html

https://youtu.be/90hWWAqfdUU

Answer 11

If possible change your url's from HTTP to HTTPS;

It works out!!!

Answer 12

Put following into your resources/android/xml/network_security_config.xml :

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true" />
</network-security-config>

This solves Failed to load resource: net::ERR_CLEARTEXT_NOT_PERMITTED problem on Android for Cordova / Ionic.

Answer 13

Simple and Easiest Solution [Xamarin Form]

For Android

1. Goto Android Project, then Click on Properties,

2. Open AssemblyInfo.cs and paste this code right there:

   [assembly: Application(UsesCleartextTraffic =true)]

For iOS

Use NSAppTransportSecurity:

You have to set the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your info.plist file.

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Answer 14

Adding ... android:usesCleartextTraffic="true" ... to your manifest file may appear to fix the problem but it opens a threat to data integrity.

For security reasons I used manifest placeholders with android:usesCleartextTraffic inside the manifest file (like in Option 3 of the accepted answer i.e @Hrishikesh Kadam's response) to only allow cleartext on debug environment.

Inside my build.gradle(:app) file, I added a manifest placeholder like this:

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
        }

        debug {
            manifestPlaceholders.cleartextTrafficPermitted ="true"
        }
    }

Note the placeholder name cleartextTrafficPermitted at this line above

            manifestPlaceholders.cleartextTrafficPermitted ="true"

Then in my Android Manifest, I used the same placeholder ...

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="${cleartextTrafficPermitted}"
        ...>
        ...
    </application>
</manifest>

With that, cleartext traffic is only permitted under the debug environment.

Answer 15

I using Cordova 8 with cordova-plugin-whitelist 1.3.4 and it default configuration my app no access to internet and i only add a parameter in the manifest.xml -> android:usesCleartextTraffic="true"

The path of mainfest changed in Cordova 8: platform/android/app/src/main/AndroidManifest.xml.

 <?xml version='1.0' encoding='utf-8'?>
    <manifest android:hardwareAccelerated="true" android:versionCode="10000" android:versionName="1.0.0" package="io.cordova.hellocordova" xmlns:android="http://schemas.android.com/apk/res/android">
        <supports-screens android:anyDensity="true" android:largeScreens="true" android:normalScreens="true" android:resizeable="true" android:smallScreens="true" android:xlargeScreens="true" />
        <application 
android:hardwareAccelerated="true" 
android:icon="@mipmap/ic_launcher" 
android:label="@string/app_name" 
android:supportsRtl="true" 
android:usesCleartextTraffic="true">
            <activity android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|smallestScreenSize|screenLayout|uiMode" android:label="@string/activity_name" android:launchMode="singleTop" android:name="MainActivity" android:theme="@android:style/Theme.DeviceDefault.NoActionBar" android:windowSoftInputMode="adjustResize">
                <intent-filter android:label="@string/launcher_name">
                    <action android:name="android.intent.action.MAIN" />
                    <category android:name="android.intent.category.LAUNCHER" />
                </intent-filter>
            </activity>
        </application>
        <uses-permission android:name="android.permission.INTERNET" />
        <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    </manifest>

this is a real stupid because it obvious that your app need access to internet....

Answer 16

Try hitting the URL with "https://" instead of "http://"

Answer 17

Oneliner to solve your problem. I assume you will store your URL in myURL string. Add this line and you are done. myURL = myURL.replace("http", "https");

Answer 18

Cleartext is any transmitted or stored information that is not encrypted or meant to be encrypted.

When an app communicates with servers using a cleartext network traffic, such as HTTP (not https), it could raise the risk of hacking and tampering of content. Third parties can inject unauthorized data or leak information about the users. That is why developers are encouraged to secure traffic only, such as HTTPS. Here is the implementation and the reference of how to resolve this problem.

Answer 19

If you are using ionic and getting this error during native http plugin, following fix needs to be done-

goto resources/android/xml/network_security_config.xml Change it to-

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">localhost</domain>
        <domain includeSubdomains="true">api.example.com(to be adjusted)</domain>
    </domain-config>
</network-security-config>

That worked for me!

Answer 20

 cleartext support is disabled by default.Android in 9 and above

 Try This one I hope It will work fine

1 Step:->  add inside android build gradle (Module:App)
            useLibrary 'org.apache.http.legacy'

  android {
               compileSdkVersion 28
              useLibrary 'org.apache.http.legacy'

          }

Then 2 Step:-> manifest add inside manifest application tag

<application
    android:networkSecurityConfig="@xml/network_security_config">//add drawable goto Step 4

   // Step --->3  add to top this line  
     <uses-library
        android:name="org.apache.http.legacy"
        android:required="false" />

</application>

//Step 4-->> Create Drawable>>Xml file>>name as>> network_security_config.xml

   <?xml version="1.0" encoding="utf-8"?>
   <network-security-config>
      <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
           <certificates src="system" />
        </trust-anchors>
      </base-config>
    </network-security-config>

Answer 21

I have removed this line from the android manifest file which is already there

 android:networkSecurityConfig="@xml/network_security_config" 

and added

android:usesCleartextTraffic="true"

this in to application tag in manifest

<application
    android:usesCleartextTraffic="true"
    android:allowBackup="true"
    android:label="@string/app_name"
    android:largeHeap="true"
    android:supportsRtl="true"
    android:theme="@style/AppTheme"
    >

then this error Cleartext HTTP traffic to overlay.openstreetmap.nl not permitted is gone for me in android 9 and 10.I hope this will work for android 8 also if it is helped you don't forget to vote thank you

Answer 22

While the working answer, for me, was this by @PabloCegarra:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

You may receive a security warning regarding the cleartextTrafficPermitted="true"

If you know the domains to 'white list' you should mix both accepted answer and the above one:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">books.google.com</domain>
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </domain-config>
</network-security-config>

This code is working for me, but my app needs to retrieve data from books.google.com only. By this way the security warning disappears.

Answer 23

This is done for security reasons, you should always prefer to use HTTPS (HTTP Secure) where possible.
You can read more about it here

There are multiple solutions for this issue depending on your condition.

If you are trying to communicate with a first party service, IE: your own web server

Server side: You should add HTTPS support to that server and use HTTPS instead of HTTP. These days you can even do it for free using services like LetsEncrypt and others
Client side: If you are using the HttpURLConnection from the java.net package you can switch to HttpsURLConnection of the java.net.ssl package, it has a similar if not identical API, so the switch should be effortless.

If you are using a third party service, like Google, Facebook, a weather service, etc.

In case that the service you are communicating with supports HTTPS (which it most likely does) you can just change your request URL from http://abc.xyz to https://abc.xyz.

As a last resort, if the third party service that you want to communicate with does not support HTTPS or any other form of secure communication, you can use this answer, but again, this is not recommended as it defeats the purpose of this much needed security feature.

Answer 24

Update December 2019 ionic - 4.7.1

<manifest xmlns:tools=“http://schemas.android.com/tools”>

<application android:usesCleartextTraffic=“true” tools:targetApi=“28”>

Please add above content in android manifest .xml file

Previous Versions of ionic

1. Make sure you have the following in your config.xml in Ionic Project:

   <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application" xmlns:android="http://schemas.android.com/apk/res/android">
               <application android:networkSecurityConfig="@xml/network_security_config" />
               <application android:usesCleartextTraffic="true" />
           </edit-config>
   

2. Run ionic Cordova build android. It creates Android folder under Platforms

3. Open Android Studio and open the Android folder present in our project project-platforms-android. Leave it for few minutes so that it builds the gradle

4. After gradle build is finished we get some errors for including minSdVersion in manifest.xml. Now what we do is just remove <uses-sdk android:minSdkVersion="19" /> from manifest.xml.

   Make sure its removed from both the locations:

   1. app → manifests → AndroidManifest.xml.
   2. CordovaLib → manifests → AndroidManifest.xml.

   Now try to build the gradle again and now it builds successfully

5. Make sure you have the following in Application tag in App → manifest → Androidmanifest.xml:

   <application
   android:networkSecurityConfig="@xml/network_security_config"  android:usesCleartextTraffic="true" >
   

6. Open network_security_config (app → res → xml → network_security_config.xml).

   Add the following code:

   <?xml version="1.0" encoding="utf-8"?>
   <network-security-config>
       <domain-config cleartextTrafficPermitted="true">
           <domain includeSubdomains="true">xxx.yyyy.com</domain>
       </domain-config>
   </network-security-config>
   

Here xxx.yyyy.com is the link of your HTTP API. Make sure you don't include any Http before the URL.

Note: Now build the app using Android Studio (Build -- Build Bundle's/APK -- Build APK) and now you can use that App and it works fine in Android Pie. If you try to build app using ionic Cordova build android it overrides all these settings so make sure you use Android Studio to build the Project.

If you have any older versions of app installed, Uninstall them and give a try or else you will be left with some error:

App not Installed

Answer 25

For Xamarin.Android developers make sure HttpClient implementation and SSL/TLS is set to Default.

It can be found under Andorid Options -> Advanced Android Options.

Answer 26

Create file - res / xml / network_security.xml

In network_security.xml ->

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">192.168.0.101</domain>
    </domain-config>
</network-security-config>

Open AndroidManifests.xml :

 android:usesCleartextTraffic="true" //Add this line in your manifests

<application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:usesCleartextTraffic="true"
        android:theme="@style/AppTheme">

Answer 27

adding this paramter in header resolved my issue in apiSauce React Native

"Content-Type": "application/x-www-form-urlencoded",
  Accept: "application/json"

Answer 28

Just add android:usesCleartextTraffic="true" inside the in AndroidManifest.xml file

Answer 29

In my case that URL is not working in browser also.

I check with https://www.google.com/

webView.loadUrl("https://www.google.com/")

And it worked for me.

Answer 30

In the AndroidManifest I found this parameter:

android:networkSecurityConfig="@xml/network_security_config"

and @xml/network_security_config is defined in network_security_config.xml as:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!--Set application-wide security config using base-config tag.-->
    <base-config cleartextTrafficPermitted="false"/>
</network-security-config>  

just I changed cleartextTrafficPermitted to true