Starting with Android 9 (API level 28), cleartext (using the unencrypted HTTP protocol instead of HTTPS) support is disabled by default.

Source: Android developers - Network security configuration

This means, if you app need to use unencrypted HTTP protocol, by default you should face a CONNECTION REFUSED. Personally I need it to enable livereload on Cordova devs, the js layer of app is loaded from http://localhost.

Network Security Configuration feature

By domain

To configure the clearTextTrafficPermited flag, we need to set the network security config at the manifest file level.

The Network Security Configuration feature uses an XML file where you specify the settings for your app. You must include an entry in the manifest of your app to point to this file. The following code excerpt from a manifest demonstrates how to create this entry:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

Source: Add a Network Security Configuration file

In cordova it could be achieved setting both configs below:

./config.xml

<platform name="android">
  ...
  <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application" xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:networkSecurityConfig="@xml/network_security_config" />
  </edit-config>
  <resource-file src="resources/android/xml/network_security_config.xml" target="app/src/main/res/xml/network_security_config.xml" />
</platform>

At ./resources/android/xml/network_security_config.xml :

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <!-- Allows HTTP traffic only to localhost. All other domains will only be allowed via HTTPS -->
  <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">localhost</domain>
  </domain-config>
</network-security-config>

By default

To allow cleartext HTTP traffic by default on your app you should replace above ./resources/android/xml/network_security_config.xml by:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
      <certificates src="system" />
    </trust-anchors>
  </base-config>
</network-security-config>

Furthermore


Victor Dias

Sharing mobile Experiences

Follow me