Google Play Pre-launch Reports Security Vulnerability Which Says Cleartext traffic allowed for all domains

Google Play Pre-launch Reports Security Vulnerability Which Says that

Your app’s Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable it could impact the privacy of your users.

Consider only permitting encrypted traffic by setting the cleartextTrafficPermitted flag to false, or adding an encrypted policy for specific domains. Learn more

network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system"/>
        </trust-anchors>
    </base-config>

    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">127.0.0.1</domain>
    </domain-config>
</network-security-config>

AndroidManifest.xml

 <application
        android:name="com.example.MyActivity"
        android:allowBackup="false"
        tools:replace="allowBackup"
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name"
        android:largeHeap="true"
        android:theme="@style/AppTheme"
        android:hardwareAccelerated="true"
        android:resizeableActivity="false"
        android:networkSecurityConfig="@xml/network_security_config">

My Doubt is if my give my own domain name domain-config as cleartextTrafficPermitted=”true” for example

<domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">http://my-domain.com</domain>
</domain-config>
  1. Does it clears my Security Vulnerability issue?
  2. I need know wheather if i need to set domain-config for my third party ads networks?

Answer

Below the configuration clears Google Play Security Vulnerability

Note:

  1. we have use only https urls in android pie
  2. To use http in android pie we need to include the domain name in domain-config

<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system"/>
    </trust-anchors>
</base-config>

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">myowndomain.com</domain>
</domain-config>