综合技术

Xamarin: Managing HTTP & Cleartext Traffic on Android with Network Security Configuration

微信扫一扫,分享到朋友圈

Xamarin: Managing HTTP & Cleartext Traffic on Android with Network Security Configuration
0

James

May 17th, 2019

Did you know that starting with Android 9 (API level 28) cleartext(non-HTTPS) support is disabled by default? It is always recommended to make connections over HTTPS to ensure that any web communication is secure. This policy may have an impact on your development cycle if your app needs to download an image or file on a server hasn’t been configured for HTTPS. Also, you may just be trying to debug your application locally and don’t want to install development certs. You may have strong business requirements that all web traffic on all versions of Android is always HTTPS. This is where the new Network Security Configuration feature of Android comes in, to help us finely tune network traffic security in our app.

When does Cleartext apply?

Cleartext is disabled by default on Android 9 (Pie, API 28) devices when your application is set to target and compile against Android 9. On the project’s properties you will find the SDK you are compiling against under Application:

Inside of your Android Manifest options you will find the Target Framework that can be set to Android 9:

Network Security Config

To configure security options, you will create a new xml file under Resources/xml named network_security_config.xml .

The following configuration will enable cleartext web traffic to be allowed in our app for specific domains and IP addresses:

 
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">10.0.2.2</domain> <!-- Debug port -->
    <domain includeSubdomains="true">xamarin.com</domain>
  </domain-config>
</network-security-config>
 

You can strengthen the security of your app by also restricting cleartext traffic on all versions of Android regardless of the compile and target framework. This is accomplished by setting cleartextTrafficPermitted to false . Enabling this will restrict any traffic that is non-HTTPS at all times.

Configure Application Manifest

The last thing that needs to be done is to configure the networkSecurityConfig property on the application node in the Android Manifest:

 
<?xml version="1.0" encoding="utf-8"?>
<manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
        ...
    </application>
</manifest>
 

That’s it! Now the application is completely configured to allow or restrict cleartext during web requests.

阅读原文...


微信扫一扫,分享到朋友圈

Xamarin: Managing HTTP & Cleartext Traffic on Android with Network Security Configuration
0

Xamarin Blog

Slack patches vulnerability in Windows client that could be used to hijack files

上一篇

Raw WebAssembly

下一篇

评论已经被关闭。

插入图片

热门分类

往期推荐

Xamarin: Managing HTTP & Cleartext Traffic on Android with Network Security Configuration

长按储存图像,分享给朋友