Manifest best practices: disable cleartext traffic :: Recipe Details

Recipe Name:

Manifest best practices: disable cleartext traffic

Description:

When android:usesCleartextTraffic="true" is set the application will allow clear text traffic which could lead to data leakage

Level:

error

Language:

Tags:

security
framework specific
mobile
Android

Documentation

Out of best practices and Android coding guidelines, recommendations were abstracted which state that communication should be done over encrypted channels, such as HTTPS.

When android:usesCleartextTraffic is set to true, the application will allow outgoing requests over HTTP, resulting in a potential data leakage or a Man-In-The-Middle (MITM) attack. By setting the value to false, the application will refuse the app's requests to use cleartext traffic.

The default value for API level 27 or lower is true and API level 28 or higher is false.

Before

android:usesCleartextTraffic="true"

After

android:usesCleartextTraffic="false"

Resources

Android Documentation

Recipe

id: scw:android:disabled-cleartext
version: 10
metadata:
  name: 'Manifest best practices: disable cleartext traffic'
  shortDescription: When android:usesCleartextTraffic="true" is set the application will allow clear text traffic which could lead to data leakage
  level: error
  language: xml
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  cweCategory: 319
  enabled: true
  descriptionFile: descriptions/ManifestbestpracticesdisableusesCleartextTraffic.html
  tags: security;framework specific;mobile;Android
search:
  attribute:
    allOf:
    - in:
        file:
          name: AndroidManifest.xml
    - in:
        element:
          tagName:
            is: application
    name: android:usesCleartextTraffic
    value:
      not: "false"
availableFixes:
- name: Change android:usesCleartextTraffic to false
  actions: []