Android P without TLS: network-security-config: cleartextTrafficPermitted not possible for IP (only domain)

Question

I'm trying to connect to an embedded device with an HTTP-server which works fine on android < P (until I set targetSdkVersion 28) because there was a change that Network TLS enabled by default.

There is a way to Opt out of cleartext traffic but it seems that this is only possible for domains and not IP addresses.

I've tried to set a android:networkSecurityConfig in the Manifest with the IP instead of the domain but this didn't work:

<network-security-config>
  <domain-config cleartextTrafficPermitted="false">
    <domain includeSubdomains="true">172.16.33.1</domain>
  </domain-config>
</network-security-config>

Setting this as a <base-config cleartextTrafficPermitted="false"> does not work either.

So it seems that there is no way to get non-TLS communication working when not having a domain. But because this is an embedded device in the local network we do not have a domain (we only know the IP).

This seems like a major problem for all kind of embedded devices which would not be able to communicate anymore. Plus, "new apps and updates to existing apps require to target API level [28 in November 2020]" (starting in November 2018 with API 26 and advancing each year).

Any ideas how to make this possible?

If you want to enable non-TLS communication, then you need to have `cleartextTrafficPermitted` as `true`, not `false`. — laalto, Jun 21 '18 at 07:11
Arg, no way - too easy. My fault. Of course it needs to be `true`. It's working then with `` for IP addresses. THX! — hardysim, Jun 21 '18 at 08:20
Can you allow clearText for all URLs or do you have to specify each URL? — Kris B, May 31 '19 at 23:33

score 25 · Accepted Answer · answered Jun 21 '18 at 08:21

25

It's working with <base-config cleartextTrafficPermitted="true"> for IP addresses.

(Of course it also needs to be true not false).

answered Jun 21 '18 at 08:21

hardysim

2,756
2
25
52

where does this go? inside `domain-config` or just inside `network-security-config`? – Carlos.V May 29 '19 at 22:44
https://developer.android.com/training/articles/security-config#base-config – Carlos.V May 29 '19 at 22:49
Can you allow all URLs or do you have to specify each URL? – Kris B May 31 '19 at 23:09
@KrisB See my answer if you still need it – Langkiller Jul 11 '19 at 06:32
This works, yet I think it's more a workaround than a solution. This `` should do the work. If not the problem is somewhere else. – Karol Kulbaka Mar 31 '22 at 09:04
Is it possible to specify an IP range instead of a single IP address? – Alex8752 Mar 16 '23 at 11:57

score 14 · Answer 2 · edited Jan 27 '21 at 08:41

I know that this question has been answered and accepted, but if anyone needs to allow all cleartext traffic in the app (for all URLS), then the following line can be added to the application tag:

<application
    ...
    android:usesCleartextTraffic="true">
    ....
</application>

If your minSdkVersion is below 23, where this attribute was introduced, Android Studio will tell you:

Attribute usesCleartextTraffic is only used in API level 23 and higher (current min is ...)

However, as far as I have experienced, the "android:usesCleartextTraffic" attribute will simply be ignored on SDK's below 23.

This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present (link)

score 3 · Answer 3 · answered Oct 28 '20 at 15:04

For me this answer alone didn't worked. I have to register this config in the manifest file too which is unknown for a hybrid developer. Below are my fixes.

network_security_config

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">172.16.33.1</domain> <!-- Debug port -->
    <domain includeSubdomains="true">abc.com</domain>
  </domain-config>
</network-security-config>

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
       
    </application>
</manifest>

Sure you need to reference your `network_security_config` in the manifest. This was clear to me when I asked this question and is also mentioned at the very beginning of the documentation which I linked in my post (https://developer.android.com/training/articles/security-config). — hardysim, Oct 29 '20 at 09:04

score 2 · Answer 4 · answered Feb 02 '20 at 10:37

2

@hardysim answer is working, here is quick example

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true"></base-config>
</network-security-config>

answered Feb 02 '20 at 10:37

Faisal Hassan

517
7
10

score 0 · Answer 5 · answered Mar 16 '23 at 11:18

You can configure both domain and base:

    <?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:tools="http://schemas.android.com/tools">
    <base-config
        cleartextTrafficPermitted="true"
        tools:ignore="InsecureBaseConfiguration" />
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">localhost</domain>
        <domain includeSubdomains="true">10.0.2.2</domain>
        <domain includeSubdomains="true">127.0.0.1</domain>
    </domain-config>
</network-security-config>

And in the Manifest:

<application
   ...
   android:networkSecurityConfig="@xml/network_security_config">
   ...
</application>

Android P without TLS: network-security-config: cleartextTrafficPermitted not possible for IP (only domain)

5 Answers5

Linked

Related