Android 8 Cleartext HTTP traffic not permitted

Question

I had reports from users with Android 8 that my app  that uses back-end feed  does not show content  After investigation I found following Exception happening on Android 8   08-29 12 03 11 246 11285-11285  E    12 03 11 245  main   Exception  IOException java io IOException  Cleartext HTTP traffic to   not permitted at com android okhttp HttpHandler CleartextURLFilter checkURLPermitted HttpHandler java 115  at com android okhttp internal huc HttpURLConnectionImpl execute HttpURLConnectionImpl java 458  at com android okhttp internal huc HttpURLConnectionImpl connect HttpURLConnectionImpl java 127  at com deiw android generic tasks AbstractHttpAsyncTask doConnection AbstractHttpAsyncTask java 207  at com deiw android generic tasks AbstractHttpAsyncTask extendedDoInBackground AbstractHttpAsyncTask java 102  at com deiw android generic tasks AbstractAsyncTask doInBackground AbstractAsyncTask java 88  at android os AsyncTask 2 call AsyncTask java 333  at java util concurrent FutureTask run FutureTask java 266  at android os AsyncTask SerialExecutor 1 run AsyncTask java 245  at java util concurrent ThreadPoolExecutor runWorker ThreadPoolExecutor java 1162  at java util concurrent ThreadPoolExecutor Worker run ThreadPoolExecutor java 636  at java lang Thread run Thread java 764     I ve removed package name  URL and other possible identifiers   On Android 7 and lower everything works  I do not set android usesCleartextTraffic in Manifest  and setting it to true does not help  that is the default value anyway   neither do I use Network Security Information  If I call NetworkSecurityPolicy getInstance   isCleartextTrafficPermitted    it returns false for Android 8  true for older version  using the same apk file  I tried to find some mention of this on Google info about Android O  but without success

User · Answer

I am also got the same  Cleartext HTTP traffic not permitted  error while developing my Application  I am using Retrofit2 for network calls in my application and I have two project environments dev  amp  production   My Production domain is having SSL certificate with HTTPS calls and dev won t have https  The configuration is added in the build flavors  But when I change to dev  this issue will trigger  So I have added below-solution for that   I have added cleartext traffic in the manifest   android usesCleartextTraffic  true    Then I have added a connection spec in the retrofit configuration class OKHttp creation time     connectionSpecs CollectionsKt listOf ConnectionSpec MODERN TLS  ConnectionSpec CLEARTEXT     Complete OkHttpClient creation is given below  OkHttpClient okHttpClient   new OkHttpClient Builder            readTimeout 10  TimeUnit SECONDS           connectTimeout 10  TimeUnit SECONDS           cache null           connectionSpecs CollectionsKt listOf ConnectionSpec MODERN TLS  ConnectionSpec CLEARTEXT            addInterceptor new NetworkInterceptor context            addInterceptor createLoggingInterceptor             addInterceptor createSessionExpiryInterceptor             addInterceptor createContextHeaderInterceptor             build

User · Answer

Oneliner to solve your problem  I assume you will store your URL in myURL string  Add this line and you are done  myURL   myURL replace  http    https

User · Answer

Adding                 android usesCleartextTraffic  true      to your manifest file may appear to fix the problem but it opens a threat to data integrity   For security reasons I used manifest placeholders with android usesCleartextTraffic inside the manifest file  like in Option 3 of the accepted answer i e  Hrishikesh Kadam s response  to only allow cleartext on debug environment    Inside my build gradle  app  file  I added a manifest placeholder like this       buildTypes           release               minifyEnabled false             proguardFiles getDefaultProguardFile  proguard-android-optimize txt     proguard-rules pro                     debug               manifestPlaceholders cleartextTrafficPermitted   true                    Note the placeholder name cleartextTrafficPermitted at this line above              manifestPlaceholders cleartextTrafficPermitted   true    Then in my Android Manifest  I used the same placeholder      AndroidManifest xml -    lt  xml version  1 0  encoding  utf-8   gt   lt manifest     gt       lt uses-permission android name  android permission INTERNET    gt       lt application                     android usesCleartextTraffic    cleartextTrafficPermitted               gt                   lt  application gt   lt  manifest gt    With that  cleartext traffic is only permitted under the debug environment

User · Answer

In my case that URL is not working in browser also   I check with https   www google com    webView loadUrl  https   www google com      And it worked for me

User · Answer

Simple and Easiest Solution  Xamarin Form      For Android    Goto Android Project  then Click on Properties       Open AssemblyInfo cs and paste this code right there        assembly  Application UsesCleartextTraffic  true           For iOS   Use NSAppTransportSecurity     You have to set the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your info plist file    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt key gt NSAllowsArbitraryLoads lt  key gt     lt true  gt   lt  dict gt

User · Answer

For React Native projects  It was already fixed on RN 0 59  You can find on upgrade diff from 0 58 6 to 0 59 You can apply it without upgrading you RN versionust follow the below steps   Create files   android app src debug res xml react native config xml -    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt     lt domain-config cleartextTrafficPermitted  true  gt       lt domain includeSubdomains  false  gt localhost lt  domain gt       lt domain includeSubdomains  false  gt 10 0 2 2 lt  domain gt       lt domain includeSubdomains  false  gt 10 0 3 2 lt  domain gt     lt  domain-config gt   lt  network-security-config gt    android app src debug AndroidManifest xml -   lt  xml version  1 0  encoding  utf-8   gt   lt manifest xmlns android  http   schemas android com apk res android    xmlns tools  http   schemas android com tools  gt      lt uses-permission android name  android permission SYSTEM ALERT WINDOW   gt      lt application tools targetApi  28        tools ignore  GoogleAppIndexingWarning         android networkSecurityConfig   xml react native config    gt   lt  manifest gt    Check the accepted answer to know the root cause

User · Answer

My problem in Android 9 was navigating on a webview over domains with http The solution from this answer   lt application      android networkSecurityConfig   xml network security config          gt    and   res xml network security config xml   lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt base-config cleartextTrafficPermitted  true  gt           lt trust-anchors gt               lt certificates src  system    gt           lt  trust-anchors gt       lt  base-config gt   lt  network-security-config gt

User · Answer

This is done for security reasons  you should always prefer to use HTTPS  HTTP Secure  where possible  You can read more about it here    There are multiple solutions for this issue depending on your condition     If you are trying to communicate with a first party service  IE  your own web server  Server side  You should add HTTPS support to that server and use HTTPS instead of HTTP  These days you can even do it for free using services like LetsEncrypt and others Client side  If you are using the HttpURLConnection from the java net package you can switch to HttpsURLConnection of the java net ssl package  it has a similar if not identical API  so the switch should be effortless   If you are using a third party service  like Google  Facebook  a weather service  etc   In case that the service you are communicating with supports HTTPS  which it most likely does  you can just change your request URL from http   abc xyz to https   abc xyz     As a last resort  if the third party service that you want to communicate with does not support HTTPS or any other form of secure communication  you can use this answer  but again  this is not recommended as it defeats the purpose of this much needed security feature

User · Answer

While the working answer  for me  was this by  PabloCegarra    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt base-config cleartextTrafficPermitted  true  gt           lt trust-anchors gt               lt certificates src  system    gt           lt  trust-anchors gt       lt  base-config gt   lt  network-security-config gt    You may receive a security warning regarding the cleartextTrafficPermitted  true   If you know the domains to  white list  you should mix both accepted answer and the above one    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt base-config cleartextTrafficPermitted  false  gt           lt trust-anchors gt               lt certificates src  system    gt           lt  trust-anchors gt       lt  base-config gt       lt domain-config cleartextTrafficPermitted  true  gt           lt domain includeSubdomains  true  gt books google com lt  domain gt           lt trust-anchors gt               lt certificates src  system    gt           lt  trust-anchors gt       lt  domain-config gt   lt  network-security-config gt    This code is working for me  but my app needs to retrieve data from books google com only  By this way the security warning disappears

User · Answer

According to Network security configuration -      Starting with Android 9  API level 28   cleartext support is disabled   by default    Also have a look at - https   koz io android-m-and-the-war-on-cleartext-traffic   Codelabs explanation - https   codelabs developers google com codelabs android-network-security-config index html  Option 1 -  First try hitting the URL with  https     instead of  http      Option 2 -   Create file res xml network security config xml -    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt domain-config cleartextTrafficPermitted  true  gt           lt domain includeSubdomains  true  gt api example com to be adjusted  lt  domain gt       lt  domain-config gt   lt  network-security-config gt    AndroidManifest xml -    lt  xml version  1 0  encoding  utf-8   gt   lt manifest     gt       lt uses-permission android name  android permission INTERNET    gt       lt application                     android networkSecurityConfig   xml network security config              gt                   lt  application gt   lt  manifest gt    Option 3 -   android usesCleartextTraffic Doc  AndroidManifest xml -    lt  xml version  1 0  encoding  utf-8   gt   lt manifest     gt       lt uses-permission android name  android permission INTERNET    gt       lt application                     android usesCleartextTraffic  true              gt                   lt  application gt   lt  manifest gt    Also as  david s  answer pointed out android targetSandboxVersion can be a problem too -  According to Manifest Docs -      android targetSandboxVersion      The target sandbox for this app to use  The higher the sandbox version   number  the higher the level of security  Its default value is 1  you   can also set it to 2  Setting this attribute to 2 switches the app to   a different SELinux sandbox  The following restrictions apply to a   level 2 sandbox          The default value of usesCleartextTraffic in the Network Security    Config is false    Uid sharing is not permitted       So Option 4 -   If you have android targetSandboxVersion in  lt manifest gt  then reduce it to 1  AndroidManifest xml -    lt  xml version  1 0  encoding  utf-8   gt   lt manifest android targetSandboxVersion  1  gt       lt uses-permission android name  android permission INTERNET    gt           lt  manifest gt

User · Answer

cleartext support is disabled by default Android in 9 and above   Try This one I hope It will work fine  1 Step - gt   add inside android build gradle  Module App              useLibrary  org apache http legacy     android                  compileSdkVersion 28               useLibrary  org apache http legacy                 Then 2 Step -  manifest     add inside manifest   application tag   lt application     android networkSecurityConfig   xml network security config  gt   add drawable goto Step 4        Step --- gt 3  add to top this line         lt uses-library         android name  org apache http legacy          android required  false    gt    lt  application gt      Step 4--   Create Drawable  Xml file  name as   network security config xml      lt  xml version  1 0  encoding  utf-8   gt      lt network-security-config gt         lt base-config cleartextTrafficPermitted  true  gt           lt trust-anchors gt              lt certificates src  system    gt           lt  trust-anchors gt         lt  base-config gt       lt  network-security-config gt

User · Answer

If possible change your url s from HTTP to HTTPS  It works out

User · Answer

If you are using ionic and getting this error during native http plugin  following fix needs to be done-  goto resources android xml network security config xml Change it to-   lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt domain-config cleartextTrafficPermitted  true  gt           lt domain includeSubdomains  true  gt localhost lt  domain gt           lt domain includeSubdomains  true  gt api example com to be adjusted  lt  domain gt       lt  domain-config gt   lt  network-security-config gt    That worked for me

User · Answer

After changed API version 9 0 getting the error Cleartext HTTP traffic to YOUR-API DOMAIN COM not permitted  targetSdkVersion  28    in xamarin  xamarin android and android studio   Two steps to solve this error in xamarin  xamarin android and android studio   Step 1  Create file resources xml network security config xml  In network security config xml   lt  xml version  1 0  encoding  utf-8    gt   lt network-security-config gt     lt domain-config cleartextTrafficPermitted  true  gt       lt domain includeSubdomains  true  gt mobapi 3detrack in lt  domain gt     lt  domain-config gt   lt  network-security-config gt    Step 2  update AndroidManifest xml -  Add android networkSecurityConfig   xml network security config  on application tag  e g    lt application android label  your App Name  android icon   drawable icon  android networkSecurityConfig   xml network security config  gt

User · Answer

lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt domain-config cleartextTrafficPermitted  true  gt           lt domain includeSubdomains  true  gt    Your URL ex  127 0 0 1     lt  domain gt       lt  domain-config gt   lt  network-security-config gt    In the suggestion provided above I was providing my URL as  http   xyz abc com mno   I changed that to  xyz abc com then it started working

User · Answer

adding this paramter in header resolved my issue in apiSauce React Native   Content-Type    application x-www-form-urlencoded     Accept   application json

User · Answer

Try hitting the URL with  https     instead of  http

User · Answer

videoView can t open this video Online video Create file res xml network security config xml  lt  xml version  quot 1 0 quot  encoding  quot utf-8 quot   gt   lt network-security-config gt       lt base-config cleartextTrafficPermitted  quot true quot  gt           lt trust-anchors gt               lt certificates src  quot system quot    gt           lt  trust-anchors gt       lt  base-config gt   lt  network-security-config gt   New in the AndroidManifest xml file under application  android networkSecurityConfig  quot  xml network security config quot   https   techprogrammingideas blogspot com 2021 02 android-code-for-displaying-video-with html  https   youtu be 90hWWAqfdUU

User · Answer

To apply these various answers to Xamarin Android  you can use class and assembly level Attributes vs  manually editing the AndroidManifest xml  Internet permission of course is needed  duh       assembly  UsesPermission Android Manifest Permission Internet     Note  Typically assembly level attributes are added to your AssemblyInfo cs file  but any file  below the using and above the namespace works   Then on your Application subclass  create one if needed   you can add NetworkSecurityConfig with a reference to an Resources xml ZZZZ xml file    if DEBUG  Application AllowBackup   false  Debuggable   true  NetworkSecurityConfig     xml network security config     else  Application AllowBackup   true  Debuggable   false  NetworkSecurityConfig     xml network security config      endif public class App   Application       public App IntPtr javaReference  Android Runtime JniHandleOwnership transfer    base javaReference  transfer          public App            public override void OnCreate                 base OnCreate              Create a file in the Resources xml folder  create the xml folder if needed    Example xml network security config file  adjust as needed  see other answers    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt domain-config cleartextTrafficPermitted  true  gt             lt domain includeSubdomains  true  gt www example com lt  domain gt             lt domain includeSubdomains  true  gt notsecure com lt  domain gt             lt domain includeSubdomains  false  gt xxx xxx xxx lt  domain gt       lt  domain-config gt   lt  network-security-config gt    You can also use the UsesCleartextTraffic parameter on the ApplicationAttribute    if DEBUG  Application AllowBackup   false  Debuggable   true  UsesCleartextTraffic   true    else  Application AllowBackup   true  Debuggable   false  UsesCleartextTraffic   true     endif

User · Answer

Upgrade to React Native 0 58 5 or higher version  They have includeSubdomain in their config files in RN 0 58 5   ChangeLog  In Rn 0 58 5 they have declared network security config with their server domain  Network security configuration allows an app to permit cleartext traffic from a certain domain  So no need to put extra effort by declaring android usesCleartextTraffic  true  in the application tag of your manifest file  It will be resolved automatically after upgrading the RN Version

User · Answer

You might only want to allow cleartext while debugging  but keep the security benefits of rejecting cleartext in production  This is useful for me because I test my app against a development server that does not support https  Here is how to enforce https in production  but allow cleartext in debug mode   In build gradle      Put this in your buildtypes debug section  manifestPlaceholders    usesCleartextTraffic  true       Put this in your buildtypes release section manifestPlaceholders    usesCleartextTraffic  false     In the application tag in AndroidManifest xml  android usesCleartextTraffic    usesCleartextTraffic

User · Answer

Cleartext is any transmitted or stored information that is not encrypted or meant to be encrypted    When an app communicates with servers using a cleartext network traffic  such as HTTP  not https   it could raise the risk of hacking and tampering of content  Third parties can inject unauthorized data or leak information about the users  That is why developers are encouraged to secure traffic only  such as HTTPS   Here is the implementation and the reference of how to resolve this problem

User · Answer

I have removed this line from the android manifest file which is already there   android networkSecurityConfig   xml network security config     and added  android usesCleartextTraffic  true    this in to application tag in manifest   lt application     android usesCleartextTraffic  true      android allowBackup  true      android label   string app name      android largeHeap  true      android supportsRtl  true      android theme   style AppTheme       gt    then this error Cleartext HTTP traffic to overlay openstreetmap nl not permitted is gone for me in android 9 and 10 I hope this will work for android 8 also if it is helped you don t forget to vote thank you

User · Answer

Just add android usesCleartextTraffic  true  inside the  in AndroidManifest xml file

User · Answer

In the AndroidManifest I found this parameter    android networkSecurityConfig   xml network security config    and  xml network security config is defined in network security config xml as     lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt  --Set application-wide security config using base-config tag -- gt       lt base-config cleartextTrafficPermitted  false   gt   lt  network-security-config gt      just I changed cleartextTrafficPermitted to true

User · Answer

I using Cordova 8 with cordova-plugin-whitelist 1 3 4 and it default configuration my app no access to internet and i only add a parameter in the manifest xml -  android usesCleartextTraffic  true   The path of mainfest changed in Cordova 8  platform android app src main AndroidManifest xml      lt  xml version  1 0  encoding  utf-8   gt       lt manifest android hardwareAccelerated  true  android versionCode  10000  android versionName  1 0 0  package  io cordova hellocordova  xmlns android  http   schemas android com apk res android  gt           lt supports-screens android anyDensity  true  android largeScreens  true  android normalScreens  true  android resizeable  true  android smallScreens  true  android xlargeScreens  true    gt           lt application  android hardwareAccelerated  true   android icon   mipmap ic launcher   android label   string app name   android supportsRtl  true   android usesCleartextTraffic  true  gt               lt activity android configChanges  orientation keyboardHidden keyboard screenSize locale smallestScreenSize screenLayout uiMode  android label   string activity name  android launchMode  singleTop  android name  MainActivity  android theme   android style Theme DeviceDefault NoActionBar  android windowSoftInputMode  adjustResize  gt                   lt intent-filter android label   string launcher name  gt                       lt action android name  android intent action MAIN    gt                       lt category android name  android intent category LAUNCHER    gt                   lt  intent-filter gt               lt  activity gt           lt  application gt           lt uses-permission android name  android permission INTERNET    gt           lt uses-permission android name  android permission ACCESS NETWORK STATE    gt       lt  manifest gt    this is a real stupid because it obvious that your app need access to internet

User · Answer

Okay  I have figured this out  It is due to the Manifest parameter android targetSandboxVersion  quot 2 quot   that I have added because we also have Instant App version - it should make sure than once user upgrades from Instant App to regular app  he will not loose his data with the transfer  However as the vague description suggest   Specifies the target sandbox this app wants to use  Higher sanbox versions will have increasing levels of security  The default value of this attribute is 1   It obviously also adds new level of security policy  at least on Android 8

User · Answer

For Xamarin Android developers make sure HttpClient implementation and SSL TLS is set to Default   It can be found under Andorid Options -  Advanced Android Options

User · Answer

Update December 2019 ionic - 4 7 1   lt manifest xmlns tools    http   schemas android com tools    gt    lt application android usesCleartextTraffic    true    tools targetApi    28    gt    Please add above content in android manifest  xml file  Previous Versions of ionic   Make sure you have the following in your config xml in Ionic Project    lt edit-config file  app src main AndroidManifest xml  mode  merge  target   manifest application  xmlns android  http   schemas android com apk res android  gt               lt application android networkSecurityConfig   xml network security config    gt               lt application android usesCleartextTraffic  true    gt           lt  edit-config gt   Run ionic Cordova build android  It creates Android folder under Platforms Open Android Studio and open the Android folder present in our project project-platforms-android  Leave it for few minutes so that it builds the gradle After gradle build is finished we get some errors for including minSdVersion in manifest xml  Now what we do is just remove  lt uses-sdk android minSdkVersion  19    gt  from manifest xml   Make sure its removed from both the locations    app  rarr  manifests  rarr  AndroidManifest xml  CordovaLib  rarr  manifests  rarr  AndroidManifest xml    Now try to build the gradle again and now it builds successfully Make sure you have the following in Application tag in App  rarr  manifest  rarr  Androidmanifest xml    lt application android networkSecurityConfig   xml network security config   android usesCleartextTraffic  true   gt   Open network security config  app  rarr  res  rarr  xml  rarr  network security config xml    Add the following code    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt domain-config cleartextTrafficPermitted  true  gt           lt domain includeSubdomains  true  gt xxx yyyy com lt  domain gt       lt  domain-config gt   lt  network-security-config gt     Here xxx yyyy com is the link of your HTTP API  Make sure you don t include any Http before the URL   Note  Now build the app using Android Studio  Build -- Build Bundle s APK -- Build APK  and now you can use that App and it works fine in Android Pie  If you try to build app using ionic Cordova build android it overrides all these settings so make sure you use Android Studio to build the Project   If you have any older versions of app installed  Uninstall them and give a try or else you will be left with some error      App not Installed

User · Answer

It could be useful for someone    We recently had the same issue for Android 9  but we only needed to display some Urls within WebView  nothing very special  So adding android usesCleartextTraffic  true  to Manifest worked  but we didn t want to compromise security of the whole app for this   So the fix was in changing links from http to https

User · Answer

Ok  that is    NOT    the thousands repeat of  add it to your Manifest  but an hint which base on this  but give you additional Benefit  and maybe some Background Info    Android has a kind of overwriting functionality for the src-Directory   By default  you have       app src main   But you can add additional directories to overwrite your AndroidManifest xml  Here is how it works     Create the Directory  app src debug Inside create the AndroidManifest xml   Inside of this File  you don t have to put all the Rules inside  but only the ones you like to overwrite from your  app src main AndroidManifest xml  Here an Example how it looks like for the requested CLEARTEXT-Permission     lt manifest xmlns android  http   schemas android com apk res android            package  com yourappname  gt        lt application             android usesCleartextTraffic  true              android name   MainApplication              android label   string app name              android icon   mipmap ic launcher              android allowBackup  false              android theme   style AppTheme  gt       lt  application gt    lt  manifest gt    With this knowledge it s now easy as 1 2 3 for you to overload your Permissions depending on your debug   main   release Enviroment   The big benefit on it    you don t have debug-stuff in your production-Manifest and you keep an straight and easy maintainable structure

User · Answer

Create file - res   xml   network security xml  In network security xml -    lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt domain-config cleartextTrafficPermitted  true  gt           lt domain includeSubdomains  true  gt 192 168 0 101 lt  domain gt       lt  domain-config gt   lt  network-security-config gt    Open AndroidManifests xml     android usesCleartextTraffic  true    Add this line in your manifests   lt application         android allowBackup  true          android icon   mipmap ic launcher          android label   string app name          android roundIcon   mipmap ic launcher round          android supportsRtl  true          android usesCleartextTraffic  true          android theme   style AppTheme  gt

User · Answer

Put following into your resources android xml network security config xml     lt  xml version  1 0  encoding  utf-8   gt   lt network-security-config gt       lt base-config cleartextTrafficPermitted  true    gt   lt  network-security-config gt    This solves Failed to load resource  net  ERR CLEARTEXT NOT PERMITTED problem on Android for Cordova   Ionic

[android] Android 8: Cleartext HTTP traffic not permitted

Examples related to android

Examples related to http

Examples related to https