cleartext traffic?
IzzySoft opened this issue · comments
According to the AndroidManifest.xml
in the APK, your app declares android:usesCleartextTraffic
. Not sure what inserts that, ad I cannot find it either in the AndroidManifest.xml
here in the repo, nor in any other file here – so I don't think it is intentional. Could you please tell me what for it is enabled (if intentional and just missed by me) – or if not intended, trying to find out what adds this to your manifest?
Here's the relevant part shown e.g. using androguard axml *.apk
on the APK of your latest release:
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="81" android:versionName="1.8.0.81" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="com.akylas.weather" platformBuildVersionCode="34" platformBuildVersionName="14">
<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="34"/>
<supports-screens android:smallScreens="true" android:normalScreens="true" android:largeScreens="true" android:xlargeScreens="true"/>
<permission android:name="com.akylas.weather.broadcast" android:protectionLevel="0x00000003"/>
<uses-permission android:name="akylas.alpi.maps.broadcast"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="28"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" android:maxSdkVersion="28"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.INTERACT_ACROSS_USERS"/>
<uses-feature android:name="android.hardware.location.gps"/>
<permission android:name="com.akylas.weather.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION" android:protectionLevel="0x00000002"/>
<uses-permission android:name="com.akylas.weather.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<queries>
<intent>
<action android:name="android.support.customtabs.action.CustomTabsService"/>
</intent>
</queries>
<application android:theme="@7F12000B" android:label="@7F110033" android:icon="@7F0E0000" android:name="com.tns.NativeScriptApplication" android:allowBackup="true" android:hardwareAccelerated="true" android:extractNativeLibs="true" android:usesCleartextTraffic="true" android:networkSecurityConfig="@7F140002" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:requestLegacyExternalStorage="true" android:localeConfig="@7F140000">
In the last line (the application
tag) you can see: android:usesCleartextTraffic="true"
. By the other lines you see it's really about your app (e.g. package="com.akylas.weather"
, but also in some of the permissions). Might be introduced at build time by one of the libraries you include.
Thanks in advance!
@IzzySoft i think it me who did that out of simplicity. It is done through android:networkSecurityConfig
. Will fix it
Thanks! If you do not need any non-SSL access (i.e. no http://
, just https://
), it's better to remove it and thus make cleartext traffic unavailable. If there's a good reason (like a media player accessing local resources – or in your case, maybe communicating with local "Automation Servers" collecting weather information, as e.g. FHEM can do), that's of course something different – in that case I'd put the flag on allow for your app to get rid of the warnings (it's just warnings, no alerts).
@IzzySoft i just a published a new version disabling clear traffic and only accepting hosts i use.
There was no good reason ;)
I've just manually triggered an update – and must disappont you:
com.akylas.weather: 1.8.0.81/android/github/1.8.2/83, https://github.com/Akylas/oss-weather/releases: https://github.com/Akylas/oss-weather/releases/download/android/github/1.8.2/83/app-arm64-v8a-release.apk
- Grabbing update for com.akylas.weather: OK
- Checking 'repo/com.akylas.weather_83.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
! repo/com.akylas.weather_83.apk declares flags: usesCleartextTraffic
It's still there.
@IzzySoft sorry must have missed something :(
Happens. Just let me know when I shall re-check.
@IzzySoft might have found the reason (dependency adding it). Could you trigger a check on the latest release i just made?
Thanks
Done – and done 🤩 Thanks, that fixed it! Closing then.