Cleartext is information that’s meant to be encrypted or not encrypted. When an app communicates with servers employing cleartext network traffic, like HTTP, it could raise the danger of eavesdropping and tampering of content. Opening URL inside any Android Application will use Android Webview and for a few URLs, you would possibly encounter ERR_CLEARTEXT_NOT_PERMITTED Error.

How to Fix Android Application Code

If you are an application developer and facing the issue then this can be fixed by knowing how to add android:usesCleartextTraffic=”true” flag in the AndroidManifest.xml file under the application block.

Open the android manifest file (android/app/src/main/AndroidManifest.xml) and add the following into the application tag.
android:usesCleartextTraffic=”true”

Find an example below to add the flag correctly.

Before Code

<application

        android:name=”io.flutter.app.Test”

        android:label=”ginger_ui”

        android:icon=”@mipmap/ic_launcher”>

After Code (changes/addition in bold)

<application

        android:name=”io.flutter.app.Test”

        android:label=”ginger_ui”

        android:icon=”@mipmap/ic_launcher”

       android:usesCleartextTraffic=”true”>

The above will start accepting the non-HTTPs Traffic in the app and fix err:ERR_CLEARTEXT_NOT_PERMITTED error.  At the end of the day, it is better to use secure network traffic rather than cleartext.

Error OverView: android webview showing net::ERR_CLEARTEXT_NOT_PERMITTED
Network security configuration to allow all Network connection types HTTP and HTTPS in Android (9) Pie
While allowing clear traffic to all domains by using above point: Google Play release APK will face Security -> 1 known vulnerability detected in APK 51
Network security configuration allows an app to permit cleartext traffic from a certain domains.
Gain More Understanding on Domain and Sub-Domain

How to Fix Cleartext Traffic Error in Android 9 Pie?

Android Webview showing net::ERR_CLEARTEXT_NOT_PERMITTED: 

err cleartext not permitted android 9 Pie (API level 28) Webview

Android 9 webview showing net::ERR_CLEARTEXT_NOT_PERMITTED

Webpage not available

The webpage at http://geekscompete.blogspot.com/2019/04/ugc-net-cs-2018-julpii-question-87.html could not be loaded because:

net::ERR_CLEARTEXT_NOT_PERMITTED

Cleartext Traffic Error in Android 9 Pie

How to fix net::err_cleartext_not_permitted Error in Android 9 Pie Webview?

To allow all Network connection types HTTP and HTTPS in Android (9) Pie, you need to follow the below two steps to Fix Cleartext Traffic Error

You now have to create a new file in your xml folder, file named network_security_config just like the way you have named it in the AndroidManifest.xml.
Set android:networkSecurityConfig=”@xml/network_security_config” in the app tag of your AndroidManifest.xml. This deceleration in your android application will allow cleartext traffic to all Network connection types in Android 9 Pie.

Step 1. Create a new file res/xml/network_security_config.xml and the content of your file should be like this to enable all webview URL requests without encryptions:

Code for network_security_config.xml:

<?xml version=”1.0″ encoding=”utf-8″?>

<network-security-config>

    <base-config cleartextTrafficPermitted=”true”>

        <trust-anchors>

            <certificates src=”system” />

        </trust-anchors>

    </base-config>

</network-security-config>

Step 2. Add network security config created above to your Android manifest file under application tag.

Code for AndroidManifest.xml:

<?xml version=”1.0″ encoding=”utf-8″?>

<manifest xmlns:android=”http://schemas.android.com/apk/res/android”

          Package=”com.yourappname”>

    <uses-permission android:name=”android.permission.INTERNET” />

     <application

        android:name=”.MainApplication”

        android:icon=”@mipmap/ic_launcher”

        android:label=”@string/app_name”

        android:largeHeap=”true”

        android:allowBackup=”false”

        android:supportsRtl=”true”

        android:networkSecurityConfig=”@xml/network_security_config”

        android:theme=”@style/AppTheme”>

    </application>

</manifest>

2.2 Security -> 1 known vulnerability detected in APK 51

You may also face warning messag as below on Google Play Console for your released APK/s If you have allowed clear text traffic for all network traffic as suggested in step 2.1 of this article.

Cleartext traffic allowed for all domains. Detected in APK 48, 49, 50, 51

Your app’s Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users.

Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains. 

2.3 Network security configuration – allows an app to permit cleartext traffic to/from a specific domain/s

If you have some limited number of specific domains for which you want to allow clear traffic then use below content for your res/xml/network_security_config.xml file with your  domain/s specified:

Code for network_security_config.xml:

<?xml version=”1.0″ encoding=”utf-8″?>

<network-security-config>

    <domain-config cleartextTrafficPermitted=”true”>

        <domain includeSubdomains=”true”>geekscompete.com</domain>

        <domain includeSubdomains=”true”>geekscompete.blogspot.com</domain>

    </domain-config>

</network-security-config>

Understanding on domain and subdomain:

Let’s say your main domain is as below:

geekscompete.com

For example, you could create a subdomain for gallery pictures on your site called “gallery” that is accessible through the URL gallery.geekscompete.com in addition to www.geekscompete.com/gallery.

You can also set even more specific area of interest on your sitepage for your site with new subdoamin like below:

info.blog.geekscompete.com

Example of subdomain for the above domain are:

www.geekscompete.com

blog.geekscompete.com

info.blog.geekscompete.com

gallery.geekscompete.com

More about Network security configuration

<network-security-config>

can contain below tags:

0 or 1 of <base-config>

Any number of <domain-config>

0 or 1 of <debug-overrides>

Network security configuration

Here these tags are:

<base-config> is the default configuration set for all network connections whose destination is not covered by a <domain-config>.

<domain-config> is configuration to be used for network connections to specified destinations, as defined by the domain elements.

Any values that are not set in <base-config> will use the platform default values.

The default configuration for applications which targets Android 9 Pie (API level 28) and higher is as follows:

<base-config cleartextTrafficPermitted=”false”>

    <trust-anchors>

        <certificates src=”system” />

    </trust-anchors>

</base-config>

 

The default configuration for applications which targets Android 7.0 Nougat (API level 24) to Android 8.1 Oreo (API level 27) is as follows:

<base-config cleartextTrafficPermitted=”true”>

    <trust-anchors>

        <certificates src=”system” />

    </trust-anchors>

</base-config>

 

The default configuration for applications which targets Android 6.0 Marshmallow (API level 23) and lower is as follows:

<base-config cleartextTrafficPermitted=”true”>

    <trust-anchors>

        <certificates src=”system” />

        <certificates src=”user” />

    </trust-anchors>

</base-config>

There’s a simple solution to repair err_cleartext_not_permitted error and that i .e. don’t use insecure URLs. It is recommended to force HTTPs on your websites and take away all the insecure URLs i.e. non-HTTPs from the application. You will find the subsequent guides helpful in forcing HTTPs on your websites.

Net::ERR_CLEARTEXT_NOT_PERMITTED Error

Conclusion

Developers need to secure only HTTPS as it is possible for third parties to leak user data. Cleartext support is disabled by default beginning with Android 9.0 (API level 28). Due to security purposes URL without HTTPS will throw err_cleartext_not_permitted error whenever an application uses it within the Android webview. We hope the above guides assist you to repair err_cleartext_not_permitted error for the insecure URLs.