2

This is on Android P using the support library version 28.0.0-rc01.

I have followed the instructions/solutions for this issue based on several SO posts:

How to solve Android P DownloadManager stopping with "Cleartext HTTP traffic to 127.0.0.1 not permitted"?

Android 8: Cleartext HTTP traffic not permitted

along with several others.

The issue is that even though the network-security-config base-config sets this value to true, when I check the NetworkSecurityPolicy.isCleartextTrafficPermitted it returns false. This results in the ERR_CLEARTEXT_NOT_PERMITTED error when navigating to non https pages in a WebView.

Here is a snippet of the AndroidManifest

<application
    ...
    android:supportsRtl="true"
    android:networkSecurityConfig="@xml/network_security_config"
    android:usesCleartextTraffic="true">

I have tried this with combinations of including just 'usesCleartextTraffic', just 'networkSecurityConfig' and both.

Here is the relevant network-security-config

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true" >
        <trust-anchors>
            <certificates src="system"/>
        </trust-anchors>
    </base-config>
</network-security-config>

Note that I have tried it with and without the 'trust-anchors'. I do have both a prod AndroidManifest and network-security-config as well as a debug version. However, both have the same settings (debug allows for user certificates in addition to system).

I also verified the security policy is being read in by checking logcat. At this point, I am at a loss as it seems the setting is not being honored.

Any help would be appreciated.

Dan Nichols
  • 769
  • 1
  • 7
  • 19

2 Answers2

9

I just have:

android:usesCleartextTraffic="true"

in the manifest and removed network_security_config.xml. That seems to work!

Jee Mok
  • 6,157
  • 8
  • 47
  • 80
droid_dev
  • 303
  • 4
  • 15
  • This works but I think the issue is another one. In my app I was trying to debug `http` calls but I think that Android 9 deprecated this and only supports `https` by default? I'm guessing but something similar happened in iOS as well. Adding that field will just create an exception to allow Android 9 to consume `http` APIs – ace_ventura Feb 12 '19 at 18:50
7

For some reason, the debug AndroidManifest and network-security-config was causing the issue even though the settings were nearly identical -- the only difference was the debug version also allowed user generated certificates.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:tools="http://schemas.android.com/tools"
    xmlns:android="http://schemas.android.com/apk/res/android">

    <application
        android:networkSecurityConfig="@xml/network_security_config"
        tools:targetApi="n" />

</manifest>

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <base-config cleartextTrafficPermitted="true" >
           <trust-anchors>
               <!-- Trust user added CAs while debuggable only -->
               <certificates src="user" />
               <certificates src="system" />
           </trust-anchors>
        </base-config>
    </debug-overrides>
</network-security-config>

Removing the debug AndroidManifest.xml and network_security_config.xml files resolved the issue. I am still not sure why that works, but we no longer require the debug manifest anyway, so going with that for now.

maudem
  • 804
  • 9
  • 12
Dan Nichols
  • 769
  • 1
  • 7
  • 19