Keywords: Android 9 Pie | Network Security Configuration | HTTP Connections | HTTPS Connections | Network Permissions
Abstract: This article provides a comprehensive exploration of configuring network connections in Android 9 Pie to support both HTTP and HTTPS protocols. It begins by introducing the default network security settings introduced in Android 9, then presents two main solutions: quickly enabling cleartext traffic via the usesCleartextTraffic attribute in AndroidManifest.xml, and using networkSecurityConfig for more granular domain-level control. Each method includes complete code examples and configuration instructions, helping developers choose appropriate security strategies based on specific requirements.
Background of Network Security in Android 9 Pie
Starting with Android 9 Pie, the system defaults to requiring all network communications to use encrypted connections. This change means that unencrypted HTTP requests will not work, as the system expects developers to use TLS (Transport Layer Security) protocol by default. This security enhancement aims to protect user data from man-in-the-middle attacks, but for applications that need to access multiple sources (such as browser-like apps), supporting both HTTP and HTTPS connections may be necessary.
Quickly Enabling Cleartext Traffic
The simplest approach is to set the usesCleartextTraffic attribute directly in the AndroidManifest.xml file. This attribute allows the application to send and receive unencrypted HTTP traffic.
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.app">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:usesCleartextTraffic="true"
android:theme="@style/AppTheme">
<!-- Other application components -->
</application>
</manifest>Setting android:usesCleartextTraffic to true enables the application to handle all types of network connections, including unencrypted HTTP requests. This method is suitable for scenarios requiring completely open network access permissions.
Advanced Network Security Configuration
For applications requiring more granular control, Android provides network security configuration functionality. This approach allows developers to set different security policies for specific domains or connection types.
First, specify the network security configuration file in AndroidManifest.xml:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.app">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:networkSecurityConfig="@xml/network_security_config"
android:theme="@style/AppTheme">
<!-- Other application components -->
</application>
</manifest>Next, create the network_security_config.xml file in the res/xml directory:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>In this configuration:
cleartextTrafficPermitted="true"allows the application to send and receive unencrypted HTTP traffic- The
trust-anchorselement specifies trusted certificate sources, withsrc="system"indicating the use of system-preinstalled certificates base-configserves as the base configuration, applying to all network connections
Domain-Level Security Control
Network security configuration also supports more granular control. For example, cleartext traffic can be enabled only for specific domains:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">example.com</domain>
<domain includeSubdomains="true">test.org</domain>
</domain-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>This configuration:
- Allows HTTP connections for
example.comandtest.organd their subdomains - Still enforces HTTPS encrypted connections for all other domains
includeSubdomains="true"ensures subdomains follow the same security policy
Security Considerations and Best Practices
While enabling cleartext traffic can resolve compatibility issues, developers should use this functionality cautiously. Unencrypted HTTP connections are vulnerable to data eavesdropping and tampering attacks. Whenever possible, prioritize upgrading services to HTTPS.
Recommended development strategies:
- Use network security configuration for testing during development
- Limit the scope of cleartext traffic usage in production environments
- Regularly review network security configurations to ensure sensitive data isn't accidentally exposed
- Consider using HTTPS redirects or mixed content upgrade strategies
Compatibility Considerations
The network security configuration feature was introduced starting from Android 7.0 (API level 24). In versions prior to Android 9 Pie, the system defaulted to allowing cleartext traffic. Therefore, these configurations primarily affect devices running Android 9 and later.
For applications needing to support multiple Android versions, it's recommended to:
- Use network security configuration on Android 9+ devices
- Maintain existing configurations on older Android versions
- Use conditional code or resource qualifiers to handle version differences
Debugging and Testing
After implementing network connection configurations, thorough testing is recommended:
- Use Android Studio's network analysis tools to monitor connections
- Test connection stability across different network environments
- Verify that security policies work as expected
- Check for unexpected security warnings or errors
Through proper configuration and adequate testing, developers can provide flexible network connection support for applications while maintaining security.