Android 8: Cleartext Http Traffic Not Permitted

Android 8: Cleartext HTTP traffic not permitted

According to Network security configuration -

Starting with Android 9 (API level 28), cleartext support is disabled
by default.

Also have a look at Android M and the war on cleartext traffic

Codelabs explanation from Google

Option 1 -

First try hitting the URL with https:// instead of http://

Option 2 -

Create file res/xml/network_security_config.xml -

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">api.example.com(to be adjusted)</domain>
    </domain-config>
</network-security-config>

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:networkSecurityConfig="@xml/network_security_config"
        ...>
        ...
    </application>
</manifest>

Option 3 -

android:usesCleartextTraffic Doc

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="true"
        ...>
        ...
    </application>
</manifest>

Also as @david.s' answer pointed out android:targetSandboxVersion can be a problem too -

According to Manifest Docs -

android:targetSandboxVersion
The target sandbox for this app to use. The higher the sandbox version
number, the higher the level of security. Its default value is 1; you
can also set it to 2. Setting this attribute to 2 switches the app to
a different SELinux sandbox. The following restrictions apply to a
level 2 sandbox:
The default value of usesCleartextTraffic in the Network Security Config is false.
Uid sharing is not permitted.

So Option 4 -

If you have android:targetSandboxVersion in <manifest> then reduce it to 1

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest android:targetSandboxVersion="1">
    <uses-permission android:name="android.permission.INTERNET" />
    ...
</manifest>

Cleartext HTTP traffic to ... not permitted

Try changing your network_security_config.xml as follows:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true"></base-config>
</network-security-config>

There was an error with the request: Cleartext HTTP traffic to localhost not permitted

Since android 9 they try to push people to use https APIs instead of http.
But there are ways to disable it.

The simple answer is to allow http in your whole app by modifying the AndroidManifest.xml and adding android:usesCleartextTraffic="true" to the application

<application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:usesCleartextTraffic="true"

For a more fine tuned domain dependent approach I recommend reading this:
https://developer.android.com/training/articles/security-config#CleartextTrafficPermitted

Cleartext HTTP traffic to www.android.com not permitted when trying httpurlconnection in Android Studio

Add this to you app

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
        <application
            ...
            android:usesCleartextTraffic="true" // this line.
            ...>
            ...
        </application>
 </manifest>

Cleartext http traffic not permitted

To do this in Android 9 Pie you will have to set a networkSecurityConfig in your Manifest application tag like this:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
     <application android:networkSecurityConfig="@xml/network_security_config">
     </application>
</manifest>

Then create a xml file named network_security_config just like the way you have named it in the Manifest and the content of your file should be like thisto enable all requests without encryptions:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

If this is not working, please make your request from a secure domain(HTTPS).

Cleartext HTTP traffic to myserver.com not permitted on Android N preview

There is a known issue in Android N Developer Preview 4 where, if an app modifies its ApplicationInfo.flags, it triggers the blocking of cleartext traffic from the app, even if the app didn't request cleartext traffic to be blocked. The fix is in the next Developer Preview. Thus, this has nothing to do with your Network Security Config. In fact, it looks like you don't even need to declare a custom Network Security Config.

If you can't wait until the next Android N Developer Preview, check your app for places where it modifies its own ApplicationInfo.flags. Typically this takes the form of getApplicationInfo().flags &= ApplicationInfo.FLAG_DEBUGGABLE or getApplicationInfo().flags = ApplicationInfo.FLAG_DEBUGGABLE. The fix for these usages is (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE).

Alternatively, as a workaround, invoke NetworkSecurityPolicy.isCleartextTrafficPermitted() as early in your app's lifecycle as possible. This workaround should work if invoked before the code which tampers with ApplicationInfo.flags.

Flutter Cleartext HTTP traffic not permitted

Please add below code in your manifest file

<?xml version="1.0" encoding="utf-8"?>
 <manifest ...>
 <uses-permission android:name="android.permission.INTERNET" />
 <application
    ...
    android:usesCleartextTraffic="true"
    ...>
    ...
</application>
</manifest>

You can read details here https://medium.com/@imstudio/android-8-cleartext-http-traffic-not-permitted-73c1c9e3b803

Android 8: Cleartext Http Traffic Not Permitted