Finally, Android Pie was released and we can?t wait to try it on an existing project. But when we try to run our app on emulator, we saw this error
java.io.IOException: Cleartext HTTP traffic to * not permitted
So what this exactly mean?
Cleartext is any transmitted or stored information that is not encrypted or meant to be encrypted.
When an app communicates with servers using a cleartext network traffic, such as HTTP, it could raise a risk of eavesdropping and tampering of content. Third parties can inject unauthorized data or leak information about the users. That is why developers are encouraged to a secure traffic only, such as HTTPS.
But just in case using cleartext is inevitable, developers can fix the error by
- Editing useCleartextTraffic attribute in manifest file, or
- Adding Network Security Config
Android 6.0 introduced the useCleartextTraffic attribute under application element in android manifest. The default value in Android P is ?false?. Setting this to true indicates that the app intends to use clear network traffic.
<application android:usesCleartextTraffic=”true”
However, this may appear to fix the problem but it opens a threat to data integrity. A better solution is offered in Android 7.0 through network security configuration file.
Network security configuration allows an app to permit cleartext traffic from a certain domain.
How to use it?
- Add a network security config file under res/xml.
added res/xml/network_security_config.xml
2. Add a domain config and set cleartextTrafficPermitted to ?true?.
<?xml version=”1.0″ encoding=”utf-8″?><network-security-config> <domain-config cleartextTrafficPermitted=”true”> <domain includeSubdomains=”true”>your_domain.com</domain> </domain-config></network-security-config>
3. Add your network security config to your Android manifest file under application.
<application android:name=”.MyApplication” android:networkSecurityConfig=”@xml/network_security_config”…
TL;DR ? You can fix cleartext traffic error by adding useCleartextTraffic=?true? in android manifest or by adding your domain through a Network security config file and set cleartextTrafficPermitted=?true?.
But still at the end of the day, better use a secure network traffic rather than a cleartext.
