1

I am writing an instant app that will connect to a device on the local IP network. Instant apps have a limitation that they MUST connect to network over HTTPS per FAQ. This is clearly not possible for devices as we won't have an SSL certificate for the local IP address. To avoid it, is it possible to open a direct TCP socket or IP connection to the local device?

We did try to open a direct TCP socket and it failed to connect in Instant app (the same code works fine in an installed app).

inder
  • 1,774
  • 1
  • 15
  • 15
  • Did you try and it didn't work? Your question was downvoted twice so far, most probably because people believe `the question does not show any research effort`. Can you extend it a bit and impove by specifying what you've tried, and what your issue is? Thanks! – Volo Oct 10 '17 at 15:51
  • Do you mean something like https://developer.android.com/reference/javax/net/ssl/SSLSocket.html? Or can you specify your intention of “To avoid it”, are your trying to avoid the requirement of a https connection? – Julia K Oct 11 '17 at 17:45
  • @JuliaK Devices on the local network can't have an HTTPS connection because they don't have an ssl certificate for the IP address. – inder Oct 17 '17 at 16:32
  • Thanks @Idolon. I added some more details – inder Oct 17 '17 at 16:33

1 Answers1

1

Instant Apps are required to have targetSandboxVersion=”2” attribute set in the <manifest> tag. The default Network Security Config for apps targeting the v2 sandbox restricts cleartext network traffic:

<base-config cleartextTrafficPermitted="false">
  <trust-anchors>
      <certificates src="system" />
  </trust-anchors>
</base-config>

However, the NetworkSecurityPolicy javadoc states that:

When cleartext network traffic is not permitted, the platform's components (e.g. HTTP and FTP stacks, DownloadManager, MediaPlayer) will refuse this process's requests to use cleartext traffic. Third-party libraries are strongly encouraged to honor this setting as well.

This flag is honored on a best effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them. For example, there's no expectation that the Socket API will honor this flag because it cannot determine whether its traffic is in cleartext. However, most network traffic from applications is handled by higher-level network stacks/components which can honor this aspect of the policy.

From the technical point of view I don't see an issue here, but you are further restricted via the Android Instant Apps policy document, which specifies that:

Network traffic from inside the instant app must be encrypted using a TLS protocol like HTTPS.

As one can see, it's not forbidden by the policy to use the TCP protocol as long as the TLS is used on top of it.

Volo
  • 28,673
  • 12
  • 97
  • 125
  • Thanks for the details, @Idolon. We tried opening a direct socket (in Android code, as well as in a WebView/Javascript). Both attempts failed to connect in an Instant app, though the same code worked fine in an Installed app. – inder Oct 17 '17 at 16:35
  • @inder If your goal is to use HTTP at the end, then there is no need to bother with sockets. Just check this thread on how to install SSL certificates for hosts on private network: https://community.letsencrypt.org/t/certificates-for-hosts-on-private-networks/174/35 – Volo Oct 18 '17 at 09:05
  • I don't have root access to these devices (these are devices like Smart TVs, Apple TV on the local network). I am just trying to create a remote for them. – inder Oct 19 '17 at 16:20