Member-only story
✨ Cleartext HTTP Traffic in Android: A Version-by-Version Breakdown
Android has tightened its security over the years, and one major area of focus is Cleartext HTTP traffic (unencrypted HTTP connections). Since Android 7, Google has been pushing developers to use HTTPS instead of HTTP to keep user data safe. But how strict is each Android version? Let’s break it down.
💡 What is Cleartext HTTP Traffic?
Cleartext HTTP traffic refers to unencrypted data sent over the internet using the HTTP protocol instead of HTTPs (which is encrypted using SSL/TLS), this makes it vulnerable to attacks.
💡 Why Cleartext HTTP Traffic?
Developers might need Cleartext HTTP support for a few reasons, even though HTTPS is the standard now:
- Legacy APIs Some older APIs still use HTTP, and upgrading them to HTTPs might not be immediately possible.
- Local Development & Testing When testing apps on a local network or using mock servers, HTTPs might not be set up, making HTTP easier of debugging.
- Internal Networks Some enterprise apps communicate within a private network where encryption is not required.
- Performance Considerations In rare cases, HTTPS overhead might be avoided for specific use cases (through this is less relevant today with modern TLS optimizations).
- IoT Devices Some embedded systems and IoT devices might still reply on HTTp for communication.
That said, cleartext HTTP is a security risk, so it’s best to allow it only when absolutely necessary and for specific domains.
🔄 Android 7 (Nougat)
Introduced: 2016
Default Behavior: Allowed, but discouraged
- Uses the Network Security Config feature, which lets developers block cleartext traffic in the app’s manifest.
- Developers can explicitly allow cleartext traffic by setting
<base-config cleartextTrafficPermitted="true" />innetwork_security_config.xml.
Bottom Line: HTTP still works by default, but developers can disable it for better security.
