Cleartext Traffic

Description

Using HTTP or other unencrypted protocols exposes sensitive data to interception and manipulation over the network. Android may still allow cleartext if usesCleartextTraffic is enabled or network security config permits it.

Examples

Detect Cleartext Usage

rg -n "usesCleartextTraffic|cleartextTrafficPermitted" AndroidManifest.xml res/xml/network_security_config.xml

Observe Plain HTTP Requests

tcpdump -i en0 -A host api.example.com and tcp port 80

If credentials/PII appear, transport is insecure.

Remediation

Enforce HTTPS
- Disable cleartext by default; require TLS for all endpoints.
Network security config
- Set cleartextTrafficPermitted="false"; allow exceptions only for known dev hosts.
Backend hardening
- Redirect HTTP to HTTPS; set HSTS and reject insecure ciphers.

Haxoris Wiki

Cleartext Traffic

Description

Examples

Detect Cleartext Usage

Observe Plain HTTP Requests

Remediation