Google rejection "cleartext traffic allowed for all domains"

I have just had an app update rejected by Google with this message …

Your app’s Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable, it could impact upon the privacy of your users.

Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains.

I haven’t had this problem before (but it’s the first submission I’ve done since the SDK became Solar2D) and it’s not immediately obvious to me whether or not I can set this flag in build.settings. There are some old posts referring to this setting but I’m sure they are still relevant. I’m not transferring any data in the app and only have a call, using an https URL, to my app store page in the code.

This has been in corona for a long time. I would open up a defect to fix it. I would change it but I don’t know what would be sufficient.

I might be wrong but it looks like the Android template is using something very permissive:

Usually, on my native apps, I have this:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    ...
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">127.0.0.1</domain>
    </domain-config>
    ...
</network-security-config>
1 Like

I just got an update approved today so it is either not a problem with the latest daily or you are using a plugin that is not secure.

I did not get outright rejected (it was approved) but if I look at the detail report for security I see this:

I am going to take a wild guess that if they are checking it will start impacting your ranking.

The docs say…

Note: The guidance in this section applies only to apps that target Android 8.1 (API level 27) or lower. Starting with Android 9 (API level 28), cleartext support is disabled by default.

So hopefully this is not a problem.

Hi, in our current testing, target API is 29 and I still get this error from Google pre-launch report. is there a method to actively disable it from the build.settings file?

I just got the same rejection reply today. I have not changed really in the app, only updated something in the database, but used the latest build as I had to target the SDK 30 from 1 November so this might be related to it. Has anyone resolved this issue yet?

I also started seeing that after updating Solar2D version from 3646 to 3660. This one is not a warning. It’s labeled as an error in the console. I’m not sure if I’ll get rejected if I submit this build but they already sent a clear notification for the internal build. @vlads?

It links to this article: https://developer.android.com/training/articles/security-config#CleartextTrafficPermitted

“cleartext” search on repository:

The problem has been solved for me (I hope for others as well) in Build 3661, thank you Vlad.

Just don’t use http: and this is not an issue