Cleartext Traffic Prevention
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android | MASVS-NETWORK-1 |
Overview
Cleartext Traffic Prevention blocks all unencrypted HTTP communications in your Android application at build time. This control enforces TLS-only networking by configuring Android's Network Security Policy to reject cleartext (plaintext) traffic across all network connections, ensuring that sensitive data cannot be transmitted over insecure channels.
When enabled, the build pipeline injects a strict network security configuration into your app that prevents any HTTP (non-HTTPS) communication, regardless of which networking library your application uses (OkHttp, HttpURLConnection, Retrofit, etc.).
How It Works
During the Android app build process, MobileDefender modifies your application's network security policy using Android's standard Network Security Config framework:
- Network Security Config Creation:
The build pipeline creates or updates res/xml/network_security_config.xml with a domain configuration that sets cleartextTrafficPermitted="false" for all domains (*).
- Manifest Integration:
Your AndroidManifest.xml is updated to reference this configuration via:
<application android:networkSecurityConfig="@xml/network_security_config" ... />- Manifest Cleanup:
Any existing android:usesCleartextTraffic="true" declarations are stripped from the merged manifest to ensure no conflicting permissive settings remain.
The Network Security Config is a platform-level security feature introduced in Android 7.0 (API 24) and backported to API 21+ through library support. Apps targeting API 28+ already default to blocking cleartext traffic, but this control enforces the policy explicitly and removes any overrides that might allow HTTP.
Threats Mitigated
- Man-in-the-Middle Attacks: Prevents adversaries from intercepting unencrypted HTTP traffic on compromised networks (public WiFi, rogue access points)
- Credential Leakage: Blocks transmission of authentication tokens, API keys, or passwords over plaintext channels
- Sensitive Data Exposure: Ensures PII, financial data, and proprietary information are always encrypted in transit
- Downgrade Attacks: Prevents attackers from forcing the app to use HTTP instead of HTTPS when both endpoints are available
How to Enable the Control
Navigate to Connection Settings from the AppTego portal, and expand the Transport Security section. Under this section you will find the Block Cleartext Traffic control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
Configuration & Defaults
{
"CleartextPrevention": {
"protection": true
}
}- Default: Disabled (no network policy modification)
- When Enabled: All HTTP traffic is blocked; only HTTPS connections are permitted
Caveats
Local Development Servers
Applications that communicate with local development servers (e.g., http://localhost:8080, http://10.0.2.2:3000 for Android emulators) will fail to connect when this control is enabled.
Development considerations:
- Use HTTPS even for local servers (self-signed certificates with custom trust anchors in
network_security_config.xml) - Disable this control during development builds and enable only for production
- Configure explicit cleartext domain exceptions in your app's own
network_security_config.xmlfor development endpoints (note: these exceptions will be overridden by this control unless you manage the config manually)
WebView Content
If your application loads HTTP content in a WebView (e.g., legacy web pages, mixed-content sites), those resources will be blocked. Ensure all embedded web content uses HTTPS.
Third-Party SDKs
Some third-party libraries or analytics SDKs may attempt HTTP fallback connections. Verify that all integrated SDKs support HTTPS-only operation before enabling this control.
Debug vs. Release
This control operates at build time. If your debug builds require HTTP access for tooling (Charles Proxy, Burp Suite), you may want to conditionally disable the control or configure debug-specific network security settings.
Support Matrix
| Platform | Minimum Version | Status |
|---|---|---|
| Android | All (API 21+) | ✅ Supported |
| iOS | — | ❌ Not Available |
Note: iOS enforces App Transport Security (ATS) by default, which already blocks cleartext HTTP unless explicitly overridden in Info.plist. This Android-specific control provides equivalent enforcement for Android apps.
API Configuration Example
To enforce cleartext prevention in your Android app:
{
"CleartextPrevention": {
"protection": true
}
}To allow cleartext traffic (not recommended for production):
{
"CleartextPrevention": {
"protection": false
}
}| Field | Purpose |
|---|---|
protection | Enables cleartext traffic blocking for protected Android apps. |
Best Practices
- Enable for Production: Always enable this control in production builds to prevent accidental HTTP usage
- Test Thoroughly: Verify all API endpoints, third-party integrations, and embedded content use HTTPS before deploying with this control enabled
- Monitor Network Errors: Applications will throw
java.io.IOException: Cleartext HTTP traffic not permittedwhen attempting HTTP connections; monitor crash reports for such exceptions during testing - Combine with Certificate Pinning: For maximum security, pair this control with
CertificatePinningto prevent both cleartext and mis-issued certificate attacks