Android 8
Cleartext HTTP traffic
Network security
HTTPS
Mobile development

Android 8 Cleartext HTTP traffic not permitted

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

With the release of Android 8.0 (Oreo), Google introduced a number of significant security enhancements, one of which is the change in handling cleartext HTTP traffic. Cleartext traffic refers to unencrypted data sent over the Internet, which can be susceptible to interception and tampering by malicious actors. By disallowing cleartext HTTP traffic, Android 8 aims to enhance the security and confidentiality of data exchanged by apps.

Technical Explanation

Cleartext HTTP Traffic

Cleartext HTTP traffic involves data sent over the Hypertext Transfer Protocol (HTTP) without encryption. It allows data to be easily intercepted by network sniffers or experienced hackers, exposing sensitive information such as user credentials, API keys, and personal data.

Android 8 Behavior Change

In Android 8.0, the default behavior is to disallow cleartext (non-HTTPS) traffic. This change requires app developers to use the more secure HTTPS protocol, which encrypts data through Transport Layer Security (TLS).

Network Security Configuration

To enforce or relax this rule, Android 8 introduced a networkSecurityConfig XML file which developers can utilize in their applications. This file enables fine-grained control over the network security policy, including setting domain-specific rules for cleartext traffic.

Here is an example of a network_security_config.xml:

xml
1<?xml version="1.0" encoding="utf-8"?>
2<network-security-config>
3    <domain-config cleartextTrafficPermitted="false">
4        <domain includeSubdomains="true">example.com</domain>
5    </domain-config>
6</network-security-config>

This configuration file specifies that cleartext traffic is not permitted for the specified domain. To enable cleartext traffic, developers can set cleartextTrafficPermitted to true.

Example Use Cases

  1. Legacy Support: Some applications may rely on legacy systems or APIs that do not support HTTPS. developers can specify exceptions in the networkSecurityConfig to allow cleartext traffic for specific domains.
  2. Testing Environment: Developers might need to allow cleartext traffic in a controlled testing environment. The configuration can be adjusted during development and testing phases but should be secured for production.
  3. Internal Networking: In some enterprise environments, applications might be operating within a secured internal network where cleartext HTTP may be less risky. The flexibility of the network security config allows exceptions for such scenarios.

Network Security Configuration Structure

The core structure of network security configuration allows developers to specify several attributes and elements to manage their app's network policy.

AttributeDescription
<network-security-config>Root element defining the network security configuration.
<domain-config>Specifies configuration for specific domains. Attributes: cleartextTrafficPermitted, hstsEnforced.
<debug-overrides>Configuration overrides applicable when the device is in "debug" mode.
<trust-anchors>Customizes which certificate authorities are trusted. Contains either certificates or system.

Impact of Cleartext Policy

Enhanced Security

  • Data Protection: Prevents sensitive data from being intercepted in transit by enforcing encryption through HTTPS.
  • Compliance: Assists in meeting security standards and regulations such as GDPR and CCPA, which require safeguarding personal information.

Challenges for Developers

  • Migrating Legacy Systems: Requires resources to update backend services to support HTTPS.
  • Testing and Debugging: Developers must pay attention to correctly configure network settings for different environments.

Best Practices

To efficiently adhere to the cleartext policy and enhance app security, developers should:

  1. Embrace HTTPS: Ensure all data transmission is encrypted. Utilize strong cipher suites and modern TLS versions.
  2. Regular Updates: Keep app dependencies and libraries up-to-date to protect against known vulnerabilities.
  3. Testing: Thoroughly test network configurations in development environments to ensure correct behavior in production.
  4. User Notifications: Inform users about the security measures in place, increasing trust in the application.

Conclusion

The changes in handling cleartext HTTP traffic in Android 8 signify a move towards a more secure mobile ecosystem. While initially posing challenges for developers with legacy systems, the transition to encrypted communications through HTTPS provides a more secure and trustworthy environment for users, aligning with global security standards. By leveraging the network security configuration, developers can maintain flexibility in their applications while ensuring data safety.


Course illustration
Course illustration

All Rights Reserved.