According to Network security configuration –
Starting with Android 9 (API level 28), cleartext support is disabled by default.
Also have a look at Android M and the war on cleartext traffic
Codelabs explanation from Google
Option 1 –
First try hitting the URL with “https://” instead of “http://”
Option 2 –
Create file res/xml/network_security_config.xml –
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">api.example.com(to be adjusted)</domain> </domain-config> </network-security-config>
AndroidManifest.xml –
<?xml version="1.0" encoding="utf-8"?> <manifest ...> <uses-permission android:name="android.permission.INTERNET" /> <application ... android:networkSecurityConfig="@xml/network_security_config" ...> ... </application> </manifest>
Option 3 –
android:usesCleartextTraffic Doc
AndroidManifest.xml –
<?xml version="1.0" encoding="utf-8"?> <manifest ...> <uses-permission android:name="android.permission.INTERNET" /> <application ... android:usesCleartextTraffic="true" ...> ... </application> </manifest>
Also as @david.s’ answer pointed out android:targetSandboxVersion
can be a problem too –
According to Manifest Docs –
android:targetSandboxVersion
The target sandbox for this app to use. The higher the sandbox version number, the higher the level of security. Its default value is 1; you can also set it to 2. Setting this attribute to 2 switches the app to a different SELinux sandbox. The following restrictions apply to a level 2 sandbox:
- The default value of
usesCleartextTraffic
in the Network Security Config is false. - Uid sharing is not permitted.
So Option 4 –
If you have android:targetSandboxVersion
in <manifest>
then reduce it to 1
AndroidManifest.xml –
<?xml version="1.0" encoding="utf-8"?> <manifest android:targetSandboxVersion="1"> <uses-permission android:name="android.permission.INTERNET" /> ... </manifest>