Cleartext network traffic

Android Marshmallow also added a new flag to the manifest. This flag indicates whether the application is using a cleartext network traffic such as HTTP. The flag is android:usesCleartextTraffic, and the default value is true. Setting this to false means that some system API components—such as HTTP and FTP stacks, DownloadManager and MediaPlayer—will refuse to issue HTTP traffic and will only allow HTTPS. It would be a good practice to build a third-party library that honor this setting as well. Why is this good? Well, cleartext traffic lacks confidentiality, authenticity, and protections against tampering, and data can be tempered without it being detected. This is a major risk for applications, and we can now use it to try and enforce a stronger and more secure data transport to/from our applications.

We need to remember that this flag is honored on the basis of the best effort, and it’s not possible to prevent all cleartext traffic from Android applications given that they have permissions to use the Socket API, for instance, where the Socket API cannot determine cleartext usage. We can check out this flag by reading it from either ApplicationInfo.flags or NetworkSecurityPolicy.isCleartextTrafficPermitted().

Note

WebView does not honor this flag, which means that it will load HTTP even if the flag is false.

So, what do we do with the cleartext network traffic flag?

During app development, we can use StrictMode and identify any cleartext traffic from our app using StrictMode.VmPolicy.Builder.detectCleartextNetwork().

The downside of usesCleartextTraffic is that it causes app crashes or process termination when it’s not using SSL (short for Secure Socket Layer). This is great in theory but not in production, where your SSL certificate, for some reason, has issues and you reroute the traffic to HTTP. So, pay extra attention to where HTTPS is used in your app and where it’s okay to use HTTP.

Luckily, we have StrictMode, which now has a way to warn you if your application executes any unencrypted network operations via a detectCleartextNetwork() method on StrictMode.VmPolicy.Builder. In our sample project, we have a ClearTextNetworkUsageActivity activity; when running the TestStrictHttp productFlavor variant, you will see this in LogCat.

So, what do we do with the cleartext network traffic flag?

Wrapping up

Android Marshmallow gave us a new API to authenticate users with the Fingerprint API. We can use the sensor, authenticate the user even within our application, and save it for later use if we want to save the need for user login using the Credentials’ Grace Period capabilities Android Marshmallow introduced.

We also covered a way to make our application more secure using HTTPS only, and the StrictMode policy, enforced with the help of the usesCleartextTraffic flag, which allows us to make sure that all the nodes we connect to the outer world and examine the need for are a secure connection or not.

I would like to thank you for reading.

I would like to thank the Android team. This product has changed my life.

The Android ecosystem has great developers contributing by publishing libraries, writing blog posts and answering support questions; I’m proud to be part of it.

Looking forward for future editions.