How to Resolve “Cleartext HTTP traffic not permitted” Error in Android 8 and Above

How to Resolve "Cleartext HTTP traffic not permitted" Error in Android 8 and Above

22 May 2024 Stephan Petzl Leave a comment Tech-Help

Developers often encounter the “Cleartext HTTP traffic not permitted” error when their Android applications try to access HTTP URLs instead of HTTPS. This issue becomes prominent starting with Android 9 (API level 28), where cleartext traffic is disabled by default. This guide will help you understand and resolve this issue effectively.

Understanding the Issue

The error occurs because Android 9 and above enforce secure communications by default, blocking any HTTP (non-secure) traffic. This security measure is designed to protect users from potential threats associated with unencrypted data transmission. The exception typically looks like this:

IOException java.io.IOException: Cleartext HTTP traffic to * not permitted

Solution Options

Below are several methods to address this issue. You can choose the one that best fits your app’s requirements:

Option 1: Switch to HTTPS

The most straightforward solution is to switch your URLs from HTTP to HTTPS. If your server supports HTTPS, simply update your URLs:

http://example.com -> https://example.com

Option 2: Network Security Configuration

If switching to HTTPS is not feasible, you can create a network security configuration file to permit cleartext traffic for specific domains.

Create a file named res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">api.example.com</domain>
    </domain-config>
</network-security-config>

Then, reference this configuration in your AndroidManifest.xml:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ...>
    ...
</application>

Option 3: Use android:usesCleartextTraffic

Another approach is to set the android:usesCleartextTraffic attribute to true in your AndroidManifest.xml:

<application
    android:usesCleartextTraffic="true"
    ...>
    ...
</application>

Option 4: Environment-Specific Configurations

For developers who want to maintain security in production while allowing cleartext traffic in development, you can use environment-specific configurations. Update your build.gradle:

buildTypes {
    release {
        manifestPlaceholders = [usesCleartextTraffic: "false"]
    }
    debug {
        manifestPlaceholders = [usesCleartextTraffic: "true"]
    }
}

Then, reference the placeholder in your AndroidManifest.xml:

<application
    android:usesCleartextTraffic="${usesCleartextTraffic}"
    ...>
    ...
</application>

Practical Example

Let’s consider a practical scenario where you need to permit cleartext traffic for a specific development environment while maintaining security for production. Here’s how you can achieve this:

// build.gradle
buildTypes {
    release {
        manifestPlaceholders = [usesCleartextTraffic: "false"]
    }
    debug {
        manifestPlaceholders = [usesCleartextTraffic: "true"]
    }
}

// AndroidManifest.xml
<application
    android:usesCleartextTraffic="${usesCleartextTraffic}"
    ...>
    ...
</application>

How Repeato Can Assist

Using Repeato, a no-code test automation tool for iOS and Android, can significantly streamline your testing process. Repeato allows you to create, run, and maintain automated tests without writing a single line of code. Its computer vision and AI-based approach ensures that your mobile apps are thoroughly tested, saving you time and effort.

With Repeato, you can easily forward the task of test automation to non-technical colleagues or QA teams, allowing developers to focus on creating great products. Its fast editing and running capabilities make it an invaluable tool for mobile developers.

Learn more about how Repeato can help you in our Getting Started Guide.

Like this article? there’s more where that came from!