Cleartext Traffic enabled in AndroidManifest.xml

  1. Home

Vulnerability Title

The application has cleartext traffic enabled via android:usesCleartextTraffic="true" in the AndroidManifest.xml, allowing data to be transmitted over unencrypted HTTP connections.

Cleartext Traffic enabled in AndroidManifest - image

Vulnerability Explanation

This vulnerability occurs when the android:usesCleartextTraffic="true" attribute is set in the AndroidManifest.xml file, allowing the app to send or receive data over unencrypted HTTP connections. Cleartext traffic is readable by anyone intercepting the network (e.g., through a compromised Wi-Fi network, rogue access point, or proxy), which exposes sensitive information such as login credentials, tokens, or personal data.

Modern Android versions (API 28+) block cleartext traffic by default to protect user data. Manually enabling it bypasses this protection, putting the app and its users at risk.

Vulnerability Impact

Enabling cleartext traffic can lead to interception of sensitive data, including passwords, tokens, and personal user information. It also opens the door to man-in-the-middle (MITM) attacks and can undermine user trust and compliance with security standards like OWASP Mobile Top 10 or GDPR.

Vulnerability Solution

  • Disable Cleartext Traffic In AndroidManifest.xml, set:

    Disable backup in production apps

  • Ensure all API calls and external requests use https:// endpoints. Update server configurations to support HTTPS if needed.

  • If cleartext traffic is required for specific domains (ex., during testing), define them explicitly using a network_security_config.xml
    Disable backup in production apps