Attribute usesCleartextTraffic set

Attribute usesCleartextTraffic set

Risk: low

Description

The android:usesCleartextTraffic attribute indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP.

The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false".

Recommendation

Explicitly set the attribute android:usesCleartextTraffic value to false and define an Android Network Security Config.

The default value for apps that target API level 27 or lower is true. Apps that target API level 28 or higher default to false.

XML

<application android:icon="@drawable/icon" android:usesCleartextTraffic="false">

Links

• Storage updates in Android 11

Standards

• OWASP_MASVS_L1:
  • MSTG_NETWORK_1
• OWASP_MASVS_L2:
  • MSTG_NETWORK_1
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_6
  • REQ_3_7
  • REQ_4_2
  • REQ_6_2
  • REQ_6_3
• OWASP_MASVS_v2_1:
  • MASVS_NETWORK_1
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_6_7
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5