Cleartext network traffic
Android Marshmallow also added a new flag to the manifest. This flag indicates whether the application is using a
cleartext network traffic such as HTTP. The flag is
android:usesCleartextTraffic, and the default value is
true. Setting this to
false means that some system API components—such as HTTP and FTP stacks,
MediaPlayer—will refuse to issue HTTP traffic and will only allow HTTPS. It would be a good practice to build a third-party library that honor this setting as well. Why is this good? Well,
cleartext traffic lacks confidentiality, authenticity, and protections against tampering, and data can be tempered without it being detected. This is a major risk for applications, and we can now use it to try and enforce a stronger and more secure data transport to/from our applications.
We need to remember that this flag is honored on the basis of the best effort, and it’s not possible to prevent all
cleartext traffic from Android applications given that they have permissions to use the
Socket API, for instance, where the
Socket API cannot determine
cleartext usage. We can check out this flag by reading it from either
WebView does not honor this flag, which means that it will load HTTP even if the flag is
So, what do we do with the cleartext network traffic flag?
During app development, we can use
StrictMode and identify any
cleartext traffic from our app using
The downside of
usesCleartextTraffic is that it causes app crashes or process termination when it’s not using SSL (short for Secure Socket Layer). This is great in theory but not in production, where your SSL certificate, for some reason, has issues and you reroute the traffic to HTTP. So, pay extra attention to where HTTPS is used in your app and where it’s okay to use HTTP.
Luckily, we have
StrictMode, which now has a way to warn you if your application executes any unencrypted network operations via a
detectCleartextNetwork() method on
StrictMode.VmPolicy.Builder. In our sample project, we have a
ClearTextNetworkUsageActivity activity; when running the
TestStrictHttp productFlavor variant, you will see this in
Android Marshmallow gave us a new API to authenticate users with the
Fingerprint API. We can use the sensor, authenticate the user even within our application, and save it for later use if we want to save the need for user login using the Credentials’ Grace Period capabilities Android Marshmallow introduced.
We also covered a way to make our application more secure using HTTPS only, and the
StrictMode policy, enforced with the help of the
usesCleartextTraffic flag, which allows us to make sure that all the nodes we connect to the outer world and examine the need for are a secure connection or not.
I would like to thank you for reading.
I would like to thank the Android team. This product has changed my life.
The Android ecosystem has great developers contributing by publishing libraries, writing blog posts and answering support questions; I’m proud to be part of it.
Looking forward for future editions.