name: "usesCleartextTraffic , cleartextTrafficPermitted, is set to "true""
about: Source Code in Git Repo
labels: bug
Describe the bug
As per the android documentation "android:usesCleartextTraffic"
Indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP.
When the attribute is set to "false", platform components (for example, HTTP and FTP stacks, DownloadManager, and MediaPlayer) will refuse the app's requests to use cleartext traffic.
Third-party libraries are strongly encouraged to honor this setting as well.
The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
As the usesCleartextTraffic is set to true it violates the above principle.
<application
android:name="de.rki.coronawarnapp.ExposureNotificationAppApplication"
android:allowBackup="false"
android:icon="@drawable/ic_app_launch_icon"
android:label="@string/app_name"
android:networkSecurityConfig="@xml/network_security_config"
android:roundIcon="@drawable/ic_app_launch_icon"
android:supportsRtl="true"
android:theme="@style/AppTheme"
android:usesCleartextTraffic="true">
Similarly for cleartextTrafficPermitted , the value is set true.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">distribution-mock-cwa-server.apps.p006.otc.mcs-paas.io
</domain>
<domain includeSubdomains="true">submission-cwa-server.apps.p006.otc.mcs-paas.io</domain>
</domain-config>
</network-security-config>
Expected behaviour
Steps to reproduce the issue
Location of the code using usesCleartextTraffic
https://github.com/corona-warn-app/cwa-app-android/blob/master/Corona-Warn-App/src/main/AndroidManifest.xml
Location of the code using cleartextTrafficPermitted
https://github.com/corona-warn-app/cwa-app-android/blob/master/Corona-Warn-App/src/main/res/xml/network_security_config.xml
Technical details
- Host Machine OS (Windows/Linux/Mac): Android
Possible Fix
It is advised to set the values to false , instead of true.
cleartextTrafficPermitted="false", cleartextTrafficPermitted="false"
An example from the android documentation
For example, an app may want to ensure that all connections to secure.example.com are always done over HTTPS to protect sensitive traffic from hostile networks.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">secure.example.com</domain>
</domain-config>
</network-security-config>
Additional context