Android 9.0 CLEARTEXT communication to "ipaddress" not permitted by network security policy

Question

When I run my android project, with changed destination url https to http, I got an error "CLEARTEXT communication to mylocalipaddress not permitted by network security policy". So, I edit AndroidManifest.xml to android:targetSandboxVersion="1" in mainfest tag, and also network_security_config.xml to

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">mylocalipaddress</domain>
        <domain includeSubdomains="true">myipdomain:3000</domain>
    </domain-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

But they don't works, and I got same error. One that I cannot sure is Q> is it okay that domain-config tag and base-config tag under network-security-config tag same time? If it's okay, what should I do?

my AndroidManifest.xml is

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
          package="kr.co.test.test_iaq"
          xmlns:tools="http://schemas.android.com/tools"
          android:targetSandboxVersion="1">
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <meta-data android:name="PW_BROADCAST_PUSH" android:value="true"/>
    <application
            android:name=".MainApplication"
            android:label="@string/app_name"
            android:icon="@mipmap/ic_launcher"
            android:roundIcon="@mipmap/ic_launcher"
            android:allowBackup="true"
            android:theme="@style/AppTheme"
            android:largeHeap="true"
            android:usesCleartextTraffic="true"
            tools:ignore="GoogleAppIndexingWarning"
            android:networkSecurityConfig="@xml/network_security_config"
            tools:replace="android:allowBackup">
        <activity
                android:name=".MainActivity"
                android:launchMode="singleTask"
                android:label="@string/app_name"
                android:configChanges="keyboard|keyboardHidden|orientation|screenSize"
                android:windowSoftInputMode="adjustResize">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <!--external link-->
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="test"
                      android:host="jwt"/>
            </intent-filter>
        </activity>
        <activity android:name="com.facebook.react.devsupport.DevSettingsActivity"/>
        <activity android:name="com.kakao.auth.authorization.authcode.KakaoWebViewActivity"
                  android:launchMode="singleTop"
                  android:exported="false"
                  android:windowSoftInputMode="adjustResize">
        </activity>
    </application>

</manifest>

Also, can this error appear when POST request's endpoint is {ipaddress}:3000 case? I mean url is not domain name, http://ipaddress:port case.

Answer 1

android:usesCleartextTraffic="true"

just put this line in your Androidmanifest.xml in <application tag

Answer 2

Step 1:

enter image description here

   <?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

Step 2:

Add into AndroidMainfest

android:networkSecurityConfig="@xml/network_security_config"
android:usesCleartextTraffic="true"

Answer 3

You should set android:networkSecurityConfig attribute to your AndroidManifest.xml according to the documentation. Otherwise, Android won't see your network_security_config.xml file:

android:networkSecurityConfig="@xml/network_security_config"

Note that android:usesCleartextTraffic attribute will be ignored if you set android:networkSecurityConfig.

Yes, base-config and domain-config can be present at the same time.

Besides, port number isn't allowed in domain tag. Use just domain name or IP address:

<domain includeSubdomains="true">example.com</domain>

<domain includeSubdomains="true">localhost</domain>

<domain includeSubdomains="true">127.0.0.1</domain>

Answer 4

Android now forbid clear text network communication. It assumes everything is encrypted.

To allow something not encrypted, you need to add this line to AndroidManifest.xml:

 android:usesCleartextTraffic="true"