0

I want my Flutter Android app to reject all clear‑text HTTP traffic (i.e. only allow HTTPS).

AndroidManifest.xml

xml

<application
  …
  android:usesCleartextTraffic="false"
  android:networkSecurityConfig="@xml/network_security_config">
  …
</application>

Network Security Config (android/app/src/main/res/xml/network_security_config.xml)

xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <!-- Disallow all cleartext -->
  <base-config cleartextTrafficPermitted="false"/>
</network-security-config>

What happens instead: Despite those settings, I am still able to fetch an HTTP URL in Dart/Dio, for example:

dart

final response = await Dio().get('http://httpstat.us/200');
print(response.statusCode); // prints 200
Improve this question
3
  • Please also check the generated APK (not only the source code) if it's AndroidManifest,xml and network_security_config.xml contains the values you have configured. Commented Jun 2 at 15:15
  • How Can I check the generated APK (not only the source code) if it's AndroidManifest.xml and network_security_config.xml contains the values I have configured? Commented Jun 3 at 16:12
  • Android Studio has a feature integrated that allows you to analyze existing APK files. Alternatively there are open source tools available like Jadx-Gui or apktool. Commented Jun 3 at 17:23
Related questions
1765
Android 8: Cleartext HTTP traffic not permitted
1
HTTP API call works despite cleartextTrafficPermitted="false" in Android app with minimum SDK 29 and Flutter 3.22.3
0
Null reference exception on startup in Xamarin app with Android network-security-config
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.