Dan Nichols
Dan Nichols

Reputation: 779

Android P - NetworkSecurityPolicy.isCleartextTrafficPermitted false when network-security-config base-config cleartextTrafficPermitted true

This is on Android P using the support library version 28.0.0-rc01.

I have followed the instructions/solutions for this issue based on several SO posts:

How to solve Android P DownloadManager stopping with "Cleartext HTTP traffic to 127.0.0.1 not permitted"?

Android 8: Cleartext HTTP traffic not permitted

along with several others.

The issue is that even though the network-security-config base-config sets this value to true, when I check the NetworkSecurityPolicy.isCleartextTrafficPermitted it returns false. This results in the ERR_CLEARTEXT_NOT_PERMITTED error when navigating to non https pages in a WebView.

Here is a snippet of the AndroidManifest

<application
    ...
    android:supportsRtl="true"
    android:networkSecurityConfig="@xml/network_security_config"
    android:usesCleartextTraffic="true">

I have tried this with combinations of including just 'usesCleartextTraffic', just 'networkSecurityConfig' and both.

Here is the relevant network-security-config

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true" >
        <trust-anchors>
            <certificates src="system"/>
        </trust-anchors>
    </base-config>
</network-security-config>

Note that I have tried it with and without the 'trust-anchors'. I do have both a prod AndroidManifest and network-security-config as well as a debug version. However, both have the same settings (debug allows for user certificates in addition to system).

I also verified the security policy is being read in by checking logcat. At this point, I am at a loss as it seems the setting is not being honored.

Any help would be appreciated.

Upvotes: 2

Views: 10040

Answers (2)

droid_dev
droid_dev

Reputation: 303

I just have:

android:usesCleartextTraffic="true" 

in the manifest and removed network_security_config.xml. That seems to work!

Upvotes: 9

Dan Nichols
Dan Nichols

Reputation: 779

For some reason, the debug AndroidManifest and network-security-config was causing the issue even though the settings were nearly identical -- the only difference was the debug version also allowed user generated certificates.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:tools="http://schemas.android.com/tools"
    xmlns:android="http://schemas.android.com/apk/res/android">

    <application
        android:networkSecurityConfig="@xml/network_security_config"
        tools:targetApi="n" />

</manifest>

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <base-config cleartextTrafficPermitted="true" >
           <trust-anchors>
               <!-- Trust user added CAs while debuggable only -->
               <certificates src="user" />
               <certificates src="system" />
           </trust-anchors>
        </base-config>
    </debug-overrides>
</network-security-config>

Removing the debug AndroidManifest.xml and network_security_config.xml files resolved the issue. I am still not sure why that works, but we no longer require the debug manifest anyway, so going with that for now.

Upvotes: 7

Related Questions