3

I know cleartext been disabled by default by android. May I know where exactly I can enable in aosp instead of adding in all packages with network config files?

Where I can permit by adding the below line?

cleartextTrafficPermitted="true

external/okhttp/android/main/java/com/squareup/okttp/Handler

 public static OkUrlFactory createHttpOkUrlFactory(Proxy proxy) {
        OkHttpClient client = new OkHttpClient();

        // Explicitly set the timeouts to infinity.
        client.setConnectTimeout(0, TimeUnit.MILLISECONDS);
        client.setReadTimeout(0, TimeUnit.MILLISECONDS);
        client.setWriteTimeout(0, TimeUnit.MILLISECONDS);

        // Set the default (same protocol) redirect behavior. The default can be overridden for
        // each instance using HttpURLConnection.setInstanceFollowRedirects().
        client.setFollowRedirects(HttpURLConnection.getFollowRedirects());

        // Do not permit http -> https and https -> http redirects.
        client.setFollowSslRedirects(false);

        // Permit cleartext traffic only (this is a handler for HTTP, not for HTTPS).
        client.setConnectionSpecs(CLEARTEXT_ONLY);

        // When we do not set the Proxy explicitly OkHttp picks up a ProxySelector using
        // ProxySelector.getDefault().
        if (proxy != null) {
            client.setProxy(proxy);
        }

        // OkHttp requires that we explicitly set the response cache.
        OkUrlFactory okUrlFactory = new OkUrlFactory(client);

        // Use the installed NetworkSecurityPolicy to determine which requests are permitted over
        // http.
        OkUrlFactories.setUrlFilter(okUrlFactory, CLEARTEXT_FILTER);

        ResponseCache responseCache = ResponseCache.getDefault();
        if (responseCache != null) {
            AndroidInternal.setResponseCache(okUrlFactory, responseCache);
        }
        return okUrlFactory;
    }

    private static final class CleartextURLFilter implements URLFilter {
        @Override
        public void checkURLPermitted(URL url) throws IOException {
            String host = url.getHost();
            if (!NetworkSecurityPolicy.getInstance().isCleartextTrafficPermitted(host)) {
                throw new IOException("Cleartext HTTP traffic to " + host + " not permitted");
            }
        }
    }

In any apps if I use http, I get error as Cleartext HTTP traffic to 124.60.5.6 not permitted";

So instead of changing in apps, is it possible to change in aosp?

Shadow
  • 6,864
  • 6
  • 44
  • 93

2 Answers2

2

Seems like its enough if you do

builder.setCleartextTrafficPermitted(true);

in line 189 seems sufficient since you are using older applications which probably doesn't have any network config and only uses default ones.

source: https://android.googlesource.com/platform/frameworks/base.git/+/refs/heads/master/core/java/android/security/net/config/NetworkSecurityConfig.java#189

Old Answer

I hope you have done your homework on the implications on bypassing a security feature. That being said, the class responsible for the exception is in framework with package android.security.net.config and class responsible is NetworkSecurityConfig.

As of writing this answer, the static builder class has a property boolean mCleartextTrafficPermittedSet which is set to false by default. You might have to default it to true which makes the method getEffectiveCleartextTrafficPermitted() in the NetworkSecurityConfig class return mCleartextTrafficPermitted which in return returns DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED which is by default set to true

The flow would be

getEffectiveCleartextTrafficPermitted() returns mCleartextTrafficPermitted returns DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED returns true by default.

If this is all confusing, call setCleartextTrafficPermitted(true) on the builder whenever the builder is created.

The source for the class is available here: https://android.googlesource.com/platform/frameworks/base.git/+/refs/heads/master/core/java/android/security/net/config/NetworkSecurityConfig.java

Note: I have not tried this and merely gone through the source and inferred the above. You are welcome to try and correct me if something is wrong.

Edit by updating from @Shadow:

In NetworkSecurityConfig, change the boolean variable from true to false.

   //public static final boolean DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED = true;
    public static final boolean DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED = false;

Also in ManifestConfigSource, comment the below line, 

  /*boolean usesCleartextTraffic =
                        (mApplicationInfo.flags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0
                        && mApplicationInfo.targetSandboxVersion < 2;*/

and directly apply as usesCleartextTraffic as true.

 boolean usesCleartextTraffic =true;
Shadow
  • 6,864
  • 6
  • 44
  • 93
Vijai
  • 1,067
  • 2
  • 11
  • 25
  • Thanks vijai this is what I expected. Let me try this and update you soon. Thanks once again. @Vijai – Shadow Mar 30 '20 at 11:30
  • I used this. builder.setCleartextTrafficPermitted(true); instead of //builder.setCleartextTrafficPermitted(cleartextTrafficPermitted); but still I am getting cleartext http traffic not supported. – Shadow Mar 30 '20 at 12:50
  • actually I printed log too inside the method getDefaultBuilder but nothing is printing inside that. – Shadow Mar 30 '20 at 12:51
  • Hmm... probably its here then? https://android.googlesource.com/platform/frameworks/base.git/+/refs/heads/master/core/java/android/security/net/config/ManifestConfigSource.java#76 Note: file is ManifestConfigSource.java – Vijai Mar 30 '20 at 12:55
  • So what actually I need to do? Kindly guide me please @Vijai – Shadow Mar 30 '20 at 13:17
  • The thing is, when there is no network config, android loads default one. We find it and allow clear text. Revert the old change, go to "ManifestConfigSource.java" in the same location as "NetworkSecurityConfig.java" and `boolean usesCleartextTraffic` to true in line 76. – Vijai Mar 30 '20 at 13:20
  • Hello Vijai. I have done some changes like in NetworkSecurityConfig, i made this variable from true to false public static final boolean DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED = false; followed by your step. So in this case, i am not getting clear text not supported but instead i get error as failed to connect to /192.168.1.8 (port 8383) after 10000ms. My question is, so now http or https issue resolved or above will reproduce the socket timeout due to this? – Shadow Mar 31 '20 at 05:19
  • Thanks @Vijai. I have modified your answer and I am accepting and rewarding you bounty. – Shadow Mar 31 '20 at 09:11
1

You need to go to AndroidManifest.xml and add 

<application
    android:usesCleartextTraffic="true"
    android:networkSecurityConfig="@xml/network_security_config"
    ....
</application>

I strongly advise that you create the network_security_config to only allow your domain and subdomain. Here is a quick tutorial

Biscuit
  • 4,840
  • 4
  • 26
  • 54
  • If I have 1000 apps, I can't apply everything by creating this network config xml. Instead is it possible to do in framework side? I have full aosp source code for 9. http://androidxref.com/. As android suggested, it has been disabled by default. Exactly where they disabled in aosp? – Shadow Mar 26 '20 at 06:58
  • Wouldn't that mean that if you have a 1000 apps, and they do some update on the framework, you'll have to change it as well ? – Biscuit Mar 26 '20 at 08:45
  • Thing is we need to migrate the apps from 6 to 9. So in this case, instead of changing in every apps, it's better to change in framework. For eg: Background service restriction introduced in 9. In this case, instead of adding it as foreground service in every app, there is a class called as BackgroundExecutionQueue changes made to allow background service not to restrict. Same in this case, I don't know the work around where exactly they disabled. – Shadow Mar 26 '20 at 09:23
  • I don't know about changing AOSP but I wouldn't recommend you'll probably hit multiple walls, a third option would be to use a certificate for your website and in this case you won't have to deal with `clearTextTraffic` – Biscuit Mar 26 '20 at 09:36
  • Thing is it's LAN connection. So it communicates with LAN and through LAN connection, it access the controller's internet. So in this case, LAN doesn't have https or http. – Shadow Mar 27 '20 at 10:52
  • Oh... then yeah searching and modifying the AOSP files is your last resort I think, sorry I couldn't help you much :/ – Biscuit Mar 27 '20 at 11:10