adding Network Security Config

I have a question.

Added in Corona 2018.3455

Android: adding Network Security Config

What is this?

How do I set up?

Do you have any more context about what you’re wanting/needing to do here?

Rob

Thank you for the reply.

I only want to know about Network Security Config.

Is there no document on this?

What is it used for?

This appears to be something needed to allow http: to continue to work and not require https:

This is the Google doc that talks about it:  https://developer.android.com/training/articles/security-config

“The default configuration for apps targeting Android 7.0 (API level 24) to Android 8.1 (API level 27) is as follows:”

This appears to be the XML file added for this support:

\<base-config cleartextTrafficPermitted="true"\> \<trust-anchors\> \<certificates src="system" /\> \</trust-anchors\> \</base-config\>

It does not look like this is a developer settable feature, it’s just us adding the network XML file.

Rob

I’ve recently received a pre-launch report from google that detected a vulrenability related to this issue:

Cleartext traffic allowed for all domains Detected in APK 43, 42 Your app's Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users. Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains. 

Can we control this flag from our build settings?

 

Do you have any more context about what you’re wanting/needing to do here?

Rob

Thank you for the reply.

I only want to know about Network Security Config.

Is there no document on this?

What is it used for?

This appears to be something needed to allow http: to continue to work and not require https:

This is the Google doc that talks about it:  https://developer.android.com/training/articles/security-config

“The default configuration for apps targeting Android 7.0 (API level 24) to Android 8.1 (API level 27) is as follows:”

This appears to be the XML file added for this support:

\<base-config cleartextTrafficPermitted="true"\> \<trust-anchors\> \<certificates src="system" /\> \</trust-anchors\> \</base-config\>

It does not look like this is a developer settable feature, it’s just us adding the network XML file.

Rob

I’ve recently received a pre-launch report from google that detected a vulrenability related to this issue:

Cleartext traffic allowed for all domains Detected in APK 43, 42 Your app's Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users. Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains. 

Can we control this flag from our build settings?

 

I am getting the same message, which I’ve never seen before, on my latest app update. Did you find out if it can be set in build.settings?

Read my reply here: