Skip to content

Attribute usesCleartextTraffic set

Attribute usesCleartextTraffic set

Description

The android:usesCleartextTraffic attribute indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP.

The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false".

Recommendation

Explicitly set the attribute android:usesCleartextTraffic value to false and define an Android Network Security Config.

The default value for apps that target API level 27 or lower is true. Apps that target API level 28 or higher default to false.

<application android:icon="@drawable/icon" android:usesCleartextTraffic="false">

Standards

  • OWASP_MASVS_L1:
    • MSTG_NETWORK_1
  • OWASP_MASVS_L2:
    • MSTG_NETWORK_1
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_3_6
    • REQ_3_7
    • REQ_4_2
    • REQ_6_2
    • REQ_6_3
  • OWASP_MASVS_v2_1:
    • MASVS_NETWORK_1
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_6_7
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5