Analysis and Solutions for ERR_CLEARTEXT_NOT_PERMITTED in Android WebView

Keywords: Android WebView | ERR_CLEARTEXT_NOT_PERMITTED | Cleartext Traffic

Abstract: This article provides an in-depth analysis of the ERR_CLEARTEXT_NOT_PERMITTED error in Android WebView, focusing on security restrictions for cleartext traffic in Android 9.0 and above. It presents two main solutions through AndroidManifest.xml configuration and network security configuration files, with practical examples of HTTPS downgrade due to redirection.

Problem Background and Error Analysis

In Android application development, the WebView component serves as a crucial tool for embedding web content. With continuous improvements in Android system security, starting from Android 9.0 (API level 28), the system defaults to prohibiting applications from using unencrypted HTTP connections, known as cleartext traffic. This security policy aims to protect user data from man-in-the-middle attacks.

The ERR_CLEARTEXT_NOT_PERMITTED error is a direct manifestation of this security policy. When WebView attempts to load HTTP resources, the system throws this error to prevent potential network security risks. It's important to note that even when developers explicitly specify HTTPS URLs, certain server-side redirection mechanisms may still downgrade requests to HTTP, thereby triggering this error.

Core Solutions

To address the ERR_CLEARTEXT_NOT_PERMITTED error, developers can modify application configuration to permit cleartext traffic. The main solutions include the following two approaches:

Method 1: Modify AndroidManifest.xml

In the application's AndroidManifest.xml file, add the android:usesCleartextTraffic="true" attribute to the <application> tag:

<application
    android:allowBackup="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:usesCleartextTraffic="true"
    android:theme="@style/AppTheme">
    ...
</application>

This configuration explicitly informs the system to allow the application to use unencrypted HTTP connections, thereby resolving restrictions when WebView loads HTTP resources.

Method 2: Configure Network Security Policy

If the application already uses a network security configuration file (specified via the android:networkSecurityConfig attribute), cleartext traffic should be enabled in this configuration file:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">example.com</domain>
    </domain-config>
    
    <base-config cleartextTrafficPermitted="false"/>
</network-security-config>

This configuration approach provides more granular control, allowing cleartext traffic for specific domains while maintaining security restrictions for others.

Practical Case Analysis

In actual development practice, a common misconception is that using HTTPS URLs alone can avoid the ERR_CLEARTEXT_NOT_PERMITTED error. However, server-side redirection behavior may cause unexpected issues.

Consider the following scenario: A developer calls webView.loadUrl("https://darkorbit.com/"), but the server detects the missing "www" prefix and returns a 302 redirect to http://www.darkorbit.com. Since this is an HTTP connection, WebView refuses to load and throws the ERR_CLEARTEXT_NOT_PERMITTED error.

Solutions include:

Directly using the complete HTTPS URL: https://www.darkorbit.com
Intercepting and handling redirects in WebViewClient
Enabling cleartext traffic support as described in previous methods

Security Considerations and Best Practices

While allowing cleartext traffic can solve immediate development problems, developers should fully recognize the associated security risks. HTTP connections lack encryption protection, making data transmission vulnerable to eavesdropping or tampering.

Recommended best practices include:

Temporarily enabling cleartext traffic during development for debugging purposes
Using HTTPS connections whenever possible in production environments
Ensuring transmitted data contains no sensitive information if HTTP must be used
Regularly reviewing application network security configurations to ensure compliance with the latest security standards

Compatibility Considerations

It's important to note that cleartext traffic restrictions primarily affect Android 9.0 and above. For applications requiring support for older Android versions, developers should conduct thorough compatibility testing to ensure proper functionality across different system versions.

Through proper configuration and careful security policies, developers can maximize user data protection while ensuring application functionality.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.