From fcc46336014d59cb9f28ae0543ad855a9e01bdf4 Mon Sep 17 00:00:00 2001 From: Chad Brubaker Date: Thu, 19 Oct 2017 13:23:47 -0700 Subject: Change cleartext traffic permitted default for P apps For applications targeting P and above the network security config's cleartextTrafficPermitted will default to false instead of the previous true. Bug: 63931636 Test: network security config cts tests Change-Id: Ia697358ad84e2092443c3eff518003c6a11e4630 --- core/java/android/security/net/config/NetworkSecurityConfig.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/core/java/android/security/net/config/NetworkSecurityConfig.java b/core/java/android/security/net/config/NetworkSecurityConfig.java index b9e550540217..52f48ef8499b 100644 --- a/core/java/android/security/net/config/NetworkSecurityConfig.java +++ b/core/java/android/security/net/config/NetworkSecurityConfig.java @@ -164,7 +164,8 @@ public final class NetworkSecurityConfig { *

* The default configuration has the following properties: *

    - *
  1. Cleartext traffic is permitted for non-ephemeral apps.
    2. + *
  2. If the application targets API level 27 (Android O MR1) or lower then cleartext traffic + * is allowed by default.
    3. *
  3. Cleartext traffic is not permitted for ephemeral apps.
    4. *
  4. HSTS is not enforced.
    5. *
  5. No certificate pinning is used.
    6. @@ -183,7 +184,8 @@ public final class NetworkSecurityConfig { // System certificate store, does not bypass static pins. .addCertificatesEntryRef( new CertificatesEntryRef(SystemCertificateSource.getInstance(), false)); - final boolean cleartextTrafficPermitted = info.targetSandboxVersion < 2; + final boolean cleartextTrafficPermitted = info.targetSdkVersion < Build.VERSION_CODES.P + && info.targetSandboxVersion < 2; builder.setCleartextTrafficPermitted(cleartextTrafficPermitted); // Applications targeting N and above must opt in into trusting the user added certificate // store. -- cgit v1.2.3-59-g8ed1b