Android Question [solved] Excessive use of HTTP in store app

Andrew (Digitwell)

Well-Known Member
Licensed User
Longtime User
I need some help with a new manifest/security configuration.


I was just updating a live android app and I saw that there was a warning on the existing store app.
The warning is as follows:

Now, I only use http when developing on my local machine (to connect to a WSL2 Ubuntu instance) when I release the live app, all calls are HTTPS.
However, this means that I do have
CreateResourceFromFile(Macro, Core.NetworkClearText) in the manifest.

The survey basically asks you if you know how to convert your app from http to https. (which is already is when running against production servers)


This page : https://developer.android.com/training/articles/security-config

talks about how to limit the cleartext to only certain domains.

I think it should be in the manifest file:
B4X:
    <application android:networkSecurityConfig="@xml/network_security_config" >
    </application>

In the security config file, which is an XML file somewhere, it should be something like:

B4X:
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
         <domain includeSubdomains="true">http://localipdomain</domain>
    </domain-config>
</network-security-config>

Can anyone help me setting this up?

Thanks
 
Solution
kill the macro line and add this (edit as needed) to the manifest:
B4X:
SetApplicationAttribute(android:networkSecurityConfig, @xml/network_security_config)
CreateResource(xml, network_security_config.xml,
<network-security-config>
<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">insecure.example.com</domain>
        <domain includeSubdomains="true">dominio2</domain>
        <domain includeSubdomains="true">dominio3</domain>
        <domain includeSubdomains="true">... (dominio n)</domain>
    </domain-config>
</network-security-config>
)

get rid of...

drgottjr

Expert
Licensed User
Longtime User
kill the macro line and add this (edit as needed) to the manifest:
B4X:
SetApplicationAttribute(android:networkSecurityConfig, @xml/network_security_config)
CreateResource(xml, network_security_config.xml,
<network-security-config>
<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">insecure.example.com</domain>
        <domain includeSubdomains="true">dominio2</domain>
        <domain includeSubdomains="true">dominio3</domain>
        <domain includeSubdomains="true">... (dominio n)</domain>
    </domain-config>
</network-security-config>
)

get rid of the entries that don't apply and put in your localhost line.
 
Upvote 0
Solution

Andrew (Digitwell)

Well-Known Member
Licensed User
Longtime User
Thanks @drgottjr

That works great. In my case the domain name is an ip address.

Didn't know you could create an XML file from the manifest.

I'm going to roll this out for all my apps.
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…