After a security review I learned an easy tip. By default, Android allows HTTP traffic on older versions of Android! It’s super simple to disable, and you definitely should.
In iOS, HTTP traffic is not allowed. You must make all requests to HTTPS endpoints.
In Android this wasn’t done until Android 9. However, you probably have your Minimum Android version set lower then that. The default for new projects, even today (January 2021) is Android 5.0.
You might think this is fine since you only make HTTPS calls. And, admittedly, this is a very low security risk. However, it is possible that an attack can be done where a 3rd party maliciously sends an HTTP redirect since no certificate is being used. If you don’t want to raise your minimum SDK level and your security review team has very high standards, you’ll want to fix this.
First - the test. We’ll try to grab a string from a server that we know allows HTTP.
On iOS and Android 9+ an exception will occur. However, if you run lower version of Android you’ll see there is no problem grabbing the HTTP content:
To fix this, open your AndroidManifest.xml file. Find the ‘application’ tag (line 4 if you haven’t made any other changes yet) and simply add this
So a default AndroidManifest.xml with this change will look like this:
And that’s it. If we re-run our test now on an Android device below 9 it will also throw an exception. The ex.Message is slightly different for some reason (CLEARTEXT communication not supported: ) but now we pass our security review!