22 May 2024 Leave a comment Tech-Help
Developers often encounter the “Cleartext HTTP traffic not permitted” error when their Android applications try to access HTTP URLs instead of HTTPS. This issue becomes prominent starting with Android 9 (API level 28), where cleartext traffic is disabled by default. This guide will help you understand and resolve this issue effectively.
Understanding the Issue
The error occurs because Android 9 and above enforce secure communications by default, blocking any HTTP (non-secure) traffic. This security measure is designed to protect users from potential threats associated with unencrypted data transmission. The exception typically looks like this:
IOException java.io.IOException: Cleartext HTTP traffic to * not permitted
Solution Options
Below are several methods to address this issue. You can choose the one that best fits your app’s requirements:
Option 1: Switch to HTTPS
The most straightforward solution is to switch your URLs from HTTP to HTTPS. If your server supports HTTPS, simply update your URLs:
http://example.com -> https://example.com
Option 2: Network Security Configuration
If switching to HTTPS is not feasible, you can create a network security configuration file to permit cleartext traffic for specific domains.
Create a file named res/xml/network_security_config.xml
:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">api.example.com</domain>
</domain-config>
</network-security-config>
Then, reference this configuration in your AndroidManifest.xml
:
<application
android:networkSecurityConfig="@xml/network_security_config"
...>
...
</application>
Option 3: Use android:usesCleartextTraffic
Another approach is to set the android:usesCleartextTraffic
attribute to true in your AndroidManifest.xml
:
<application
android:usesCleartextTraffic="true"
...>
...
</application>
Option 4: Environment-Specific Configurations
For developers who want to maintain security in production while allowing cleartext traffic in development, you can use environment-specific configurations. Update your build.gradle
:
buildTypes {
release {
manifestPlaceholders = [usesCleartextTraffic: "false"]
}
debug {
manifestPlaceholders = [usesCleartextTraffic: "true"]
}
}
Then, reference the placeholder in your AndroidManifest.xml
:
<application
android:usesCleartextTraffic="${usesCleartextTraffic}"
...>
...
</application>
Practical Example
Let’s consider a practical scenario where you need to permit cleartext traffic for a specific development environment while maintaining security for production. Here’s how you can achieve this:
// build.gradle
buildTypes {
release {
manifestPlaceholders = [usesCleartextTraffic: "false"]
}
debug {
manifestPlaceholders = [usesCleartextTraffic: "true"]
}
}
// AndroidManifest.xml
<application
android:usesCleartextTraffic="${usesCleartextTraffic}"
...>
...
</application>
How Repeato Can Assist
Using Repeato, a no-code test automation tool for iOS and Android, can significantly streamline your testing process. Repeato allows you to create, run, and maintain automated tests without writing a single line of code. Its computer vision and AI-based approach ensures that your mobile apps are thoroughly tested, saving you time and effort.
With Repeato, you can easily forward the task of test automation to non-technical colleagues or QA teams, allowing developers to focus on creating great products. Its fast editing and running capabilities make it an invaluable tool for mobile developers.
Learn more about how Repeato can help you in our Getting Started Guide.