Android Question Google Rejection - Cleartext traffic allowed for all domains - API 34 problem

[RichardN]

I have a paid app that I have maintained for more than 10 years. At my recent update for API 34 it has been rejected with:

Cleartext traffic allowed for all domainsYour app's Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users.Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains.

The app uses the standard WebView to display internal HTML help files and does not facilitate user interaction with external content. At some stage in this app's history I was obliged to add the following because of problems loading the internal content.

CreateResourceFromFile(Macro, Core.NetworkClearText)

....presumably to facilitate non-HTTPS URLs ?

With API 34 compilation publication is blocked due to this issue. I have removed the manifest line and tested on an Android 14 device, the internal HTML content still loads and displays correctly. I am left wondering if this will now pass review?

My only course of action is to submit a new version and find out.......

 

[Erel]

With API 34 compilation publication is blocked due to this issue. I have removed the manifest line and tested on an Android 14 device, the internal HTML content still loads and displays correctly. I am left wondering if this will now pass review?

This should fix the mentioned issue. It will however mean that WebView will not load non-https urls.