cleartext traffic?

Question

cleartext traffic?

IzzySoft opened this issue 9 months ago · comments

According to the AndroidManifest.xml in the APK, your app declares android:usesCleartextTraffic. Not sure what inserts that, ad I cannot find it either in the AndroidManifest.xml here in the repo, nor in any other file here – so I don't think it is intentional. Could you please tell me what for it is enabled (if intentional and just missed by me) – or if not intended, trying to find out what adds this to your manifest?

Here's the relevant part shown e.g. using androguard axml *.apk on the APK of your latest release:

<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="81" android:versionName="1.8.0.81" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="com.akylas.weather" platformBuildVersionCode="34" platformBuildVersionName="14">
  <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="34"/>
  <supports-screens android:smallScreens="true" android:normalScreens="true" android:largeScreens="true" android:xlargeScreens="true"/>
  <permission android:name="com.akylas.weather.broadcast" android:protectionLevel="0x00000003"/>
  <uses-permission android:name="akylas.alpi.maps.broadcast"/>
  <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="28"/>
  <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" android:maxSdkVersion="28"/>
  <uses-permission android:name="android.permission.INTERNET"/>
  <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
  <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
  <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
  <uses-permission android:name="android.permission.INTERACT_ACROSS_USERS"/>
  <uses-feature android:name="android.hardware.location.gps"/>
  <permission android:name="com.akylas.weather.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION" android:protectionLevel="0x00000002"/>
  <uses-permission android:name="com.akylas.weather.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
  <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
  <queries>
    <intent>
      <action android:name="android.support.customtabs.action.CustomTabsService"/>
    </intent>
  </queries>
  <application android:theme="@7F12000B" android:label="@7F110033" android:icon="@7F0E0000" android:name="com.tns.NativeScriptApplication" android:allowBackup="true" android:hardwareAccelerated="true" android:extractNativeLibs="true" android:usesCleartextTraffic="true" android:networkSecurityConfig="@7F140002" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:requestLegacyExternalStorage="true" android:localeConfig="@7F140000">

In the last line (the application tag) you can see: android:usesCleartextTraffic="true". By the other lines you see it's really about your app (e.g. package="com.akylas.weather", but also in some of the permissions). Might be introduced at build time by one of the libraries you include.

Thanks in advance!

farfromrefuge · Answer 1 · Tue Jan 09 2024 16:03:01 GMT+0800 (China Standard Time)

@IzzySoft i think it me who did that out of simplicity. It is done through android:networkSecurityConfig. Will fix it

Izzy · Answer 2 · Tue Jan 09 2024 16:59:04 GMT+0800 (China Standard Time)

Thanks! If you do not need any non-SSL access (i.e. no http:// , just https://), it's better to remove it and thus make cleartext traffic unavailable. If there's a good reason (like a media player accessing local resources – or in your case, maybe communicating with local "Automation Servers" collecting weather information, as e.g. FHEM can do), that's of course something different – in that case I'd put the flag on allow for your app to get rid of the warnings (it's just warnings, no alerts).

farfromrefuge · Answer 3 · Wed Jan 10 2024 04:22:50 GMT+0800 (China Standard Time)

@IzzySoft i just a published a new version disabling clear traffic and only accepting hosts i use.
There was no good reason ;)

Izzy · Answer 4 · Wed Jan 10 2024 07:49:53 GMT+0800 (China Standard Time)

I've just manually triggered an update – and must disappont you:

com.akylas.weather: 1.8.0.81/android/github/1.8.2/83, https://github.com/Akylas/oss-weather/releases: https://github.com/Akylas/oss-weather/releases/download/android/github/1.8.2/83/app-arm64-v8a-release.apk
- Grabbing update for com.akylas.weather: OK
- Checking 'repo/com.akylas.weather_83.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
! repo/com.akylas.weather_83.apk declares flags: usesCleartextTraffic

It's still there.

farfromrefuge · Answer 5 · Wed Jan 10 2024 14:28:33 GMT+0800 (China Standard Time)

@IzzySoft sorry must have missed something :(

Izzy · Answer 6 · Thu Jan 11 2024 02:02:42 GMT+0800 (China Standard Time)

Happens. Just let me know when I shall re-check.

farfromrefuge · Answer 7 · Thu Jan 11 2024 04:57:26 GMT+0800 (China Standard Time)

@IzzySoft might have found the reason (dependency adding it). Could you trigger a check on the latest release i just made?
Thanks

Izzy · Answer 8 · Thu Jan 11 2024 05:13:32 GMT+0800 (China Standard Time)

Done – and done 🤩 Thanks, that fixed it! Closing then.