ndroid 8: Cleartext HTTP traffic not permitted

According to Network security configuration

Starting with Android 9 (API level 28), cleartext support is disabled by default.

Also have a look at Android M and the war on cleartext traffic

Codelabs explanation from Google

Option 1 –

First try hitting the URL with “https://” instead of “http://”

Option 2 –

Create file res/xml/network_security_config.xml –

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">api.example.com(to be adjusted)</domain>
    </domain-config>
</network-security-config>

AndroidManifest.xml –

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:networkSecurityConfig="@xml/network_security_config"
        ...>
        ...
    </application>
</manifest>

Option 3 –

android:usesCleartextTraffic Doc

AndroidManifest.xml –

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="true"
        ...>
        ...
    </application>
</manifest>

Also as @david.s’ answer pointed out android:targetSandboxVersion can be a problem too –

According to Manifest Docs

android:targetSandboxVersion

The target sandbox for this app to use. The higher the sandbox version number, the higher the level of security. Its default value is 1; you can also set it to 2. Setting this attribute to 2 switches the app to a different SELinux sandbox. The following restrictions apply to a level 2 sandbox:

  • The default value of usesCleartextTraffic in the Network Security Config is false.
  • Uid sharing is not permitted.

So Option 4 –

If you have android:targetSandboxVersion in <manifest> then reduce it to 1

AndroidManifest.xml –

<?xml version="1.0" encoding="utf-8"?>
<manifest android:targetSandboxVersion="1">
    <uses-permission android:name="android.permission.INTERNET" />
    ...
</manifest>

Related Posts:

  1. @ converted to %40 in HTTPPost request
  2. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  3. Should a 502 HTTP status code be used if a proxy receives no response at all?
  4. What is the difference between a URI, a URL and a URN?
  5. HTTP Status 504
  6. Do I need Content-Type: application/octet-stream for file download?
  7. How to redirect all HTTP requests to HTTPS
  8. Problem HTTP error 403 in Python 3 Web Scraping
  9. application/x-www-form-urlencoded or multipart/form-data?
  10. Problem HTTP error 403 in Python 3 Web Scraping
  11. application/x-www-form-urlencoded or multipart/form-data?
  12. Is 418 “I’m a teapot” really an HTTP response code?
  13. How to define the basic HTTP authentication using cURL correctly?
  14. How to define the basic HTTP authentication using cURL correctly?
  15. “Cannot GET /” with Connect on Node.js
  16. What’s the difference between using application/csv vs text/csv? [duplicate]
  17. What are all the possible values for HTTP “Content-Type” header?
  18. What is the difference between PUT, POST and PATCH?
  19. What’s the difference between “Request Payload” vs “Form Data” as seen in Chrome dev tools Network tab
  20. Getting “Handshake failed…unexpected packet format” when using WebClient.UploadFile() with “https” when the server has a valid SSL certificate
  21. Can PHP cURL retrieve response headers AND body in a single request?
  22. How are parameters sent in an HTTP POST request?
  23. wget: unable to resolve host address `http’
  24. Are HTTP headers case-sensitive?
  25. Https to http redirect using htaccess
  26. How can I fix the “No certificates found – The app Chrome has requested a certificate” Android / Google Chrome issue
  27. Does WordPress send data about your blog to WordPress.org or Automattic?
  28. Hiding WordPress REST API v2 endpoints from public viewing
  29. Why is WordPress redirecting from http to https on a local environment?
  30. Switch from https back to http
  31. Chrome Version 44.0.2403.89 m is trying to force HTTPS
  32. Serving HTTP and HTTPS from one installation
  33. Does WordPress only support HTTP 1.1?
  34. force http canonical tag on https pages
  35. Upgrade to SSL Breaks Admin Dashboard
  36. Redirect www to non-www htaccess
  37. Remove HTTP: from the site URL and just keep // in it
  38. How are both HTTP and HTTPS versions displaying?
  39. WordPress – https : Css and Js files are not working (load on http instead of https)
  40. Cant Access Website – Changed HTTP to HTTPs
  41. The resource was preloaded using link preload but not used within a few seconds
  42. Access general settings trough wordpress files
  43. Broken urls with http site and https wp-admin
  44. using wp_remote_get to retrieve own url on local host
  45. Divert http to https with WordPress on IIS
  46. Can’t login to Dashboard when changing site URL to HTTPS
  47. Using wp-cron in backpress – problems with wp_remote_post, fsockopen error
  48. 403 error on admin login page
  49. Running index.php from command line & load balancer health checks
  50. Enable CORS in wordpress
  51. No ‘Access-Control-Allow-Origin’ header is present [closed]
  52. Redirect HTTP to HTTPS for all sub domains (blog posts)
  53. Changing HTTP to HTTPS
  54. How to use https on one page only?
  55. Allow non-SSL pages to use https or Force non-SSL pages to http?
  56. WordPress changing script source from https to http
  57. Change port of wordpress
  58. All content is HTTPS, but browsers warn of HTTP mixed content [closed]
  59. Any any insecure http:// URLs left in wordpress?
  60. How to get value of custom http header?
  61. Several times request to load plugins when sending one request
  62. How to make my site use HTTPS for images or how to insert images as relative paths?
  63. How to convert srcset links from https to http?
  64. My site doesn’t redirect from HTTP to HTTPS
  65. https to https problem – 404 and can’t login
  66. Need workaround for insecure XMLHttpRequest endpoint request
  67. Broken css on mobile phones only on https
  68. Get “HTTP/1.1 406 Not Acceptable” when accesing my website with Delphi Indy Control
  69. Redirecting specific sites to HTTP in WordPress Multisite
  70. Plesk login inaccessible after changing site URL
  71. Understanding Redirects
  72. Specific Page/Post Need to Stay Non SSL
  73. Staging Session Randomly Switched from Secure (https) to Not Secure
  74. mixed contents admin panel is Unsecured
  75. Moving wordpress site from HTTP to HTTPS ERR_TOO_MANY_REDIRECTS
  76. Implications of not completing all tasks when switching to HTTPS
  77. Redirect HTTP request to HTTPS request
  78. WordPress HTTP 500 Error “page isn’t working”
  79. Why is http header providing 404 while site is online?
  80. Navigation Bar displays vertically on Mozilla
  81. Moving site from HTTP to HTTPS
  82. How to switch static files back to using HTTP instead of HTTPS?
  83. CSS/JS is not working in multi lang installation
  84. WordPress HTTPS – ‘… better to use HTTP for installation …’
  85. Any idea on how to fix this error when forcing SSL on a certain page?
  86. how to server over http and https with one installation
  87. Nice font not working when http to https – SSL Issue
  88. Duplicator live to wamp https to http
  89. The plain HTTP request was sent to HTTPS port in wordpress [closed]
  90. Whole website redirected to httpa but in dashboard settings still http
  91. Is it bad to redirect http to https?
  92. For what is the “.well-known”-folder?
  93. Human readable format for http headers with tcpdump
  94. Best way to redirect all HTTP to HTTPS in IIS
  95. How to make wireshark filter POST-requests only?
  96. Image file urls still point to http instead of https
  97. Changing my URL in General Settings cause the site to crash
  98. Development to production, how to move a development site from http + dev.example.com to a production site https + example.com?
  99. How to force HTTP and stop SSL completey on WordPress website
  100. How do I make the block editor use https by default?

Leave a Comment