Android 9 : Cleartext HTTP traffic to [MY_IP] not permitted

Hi,
I start to receive a lots of message from Android P user.
Error log on Android 9 only : "Cleartext HTTP traffic to 45.xx.xxx.xx not permitted"
This error happens during WWW request.

I tried to edit my androidmanifest :

Code (CSharp):

1. <?xml version="1.0" encoding="utf-8"?>
2. <manifest ...>
3.     <uses-permission android:name="android.permission.INTERNET" />
4.     <application
5.         ...
6.         android:usesCleartextTraffic="true"
7.         ...>
8.         ...
9.     </application>
10. </manifest>

But it didn't fixed the problem.

I saw this
https://codelabs.developers.google.com/codelabs/android-network-security-config/index.html#3
But i have no idea how to do the similar thing using Unity only (i don't use android studio).

Thanks for help.

 

Thanks Yury,
My database is on this server and my application is getting many informations from it.

Is there a way to keep the same url and make it secured?

 

Any workaround for this without using https?

 

Google says you can still use HTTP:
https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html

Code (csharp):

1.  
2. <network-security-config>
3.    <domain-config cleartextTrafficPermitted="false">
4.        <domain includeSubdomains="true">example.com</domain>
5.        <domain includeSubdomains="true">cdn.example2.com</domain>
6.    </domain-config>
7.    <base-config cleartextTrafficPermitted="true" />
8. </network-security-config>
9.  

see also:
https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic

 

Hi ,
You just need to update this line android:usesCleartextTraffic="true" in manifest file.

Code (JavaScript):

1. <?xml version="1.0" encoding="utf-8"?>
2. <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.unity3d.player" xmlns:tools="http://schemas.android.com/tools" android:installLocation="preferExternal">
3.     <supports-screens android:smallScreens="true" android:normalScreens="true" android:largeScreens="true" android:xlargeScreens="true" android:anyDensity="true" />
4.     <application android:theme="@style/UnityThemeSelector" android:icon="@mipmap/app_icon" android:label="@string/app_name" android:usesCleartextTraffic="true">
5.         <activity android:name="com.unity3d.player.UnityPlayerActivity" android:label="@string/app_name">
6.             <intent-filter>
7.                 <action android:name="android.intent.action.MAIN" />
8.                 <category android:name="android.intent.category.LAUNCHER" />
9.             </intent-filter>
10.             <meta-data android:name="unityplayer.UnityActivity" android:value="true" />
11.         </activity>
12.     </application>
13.     <uses-permission android:name="android.permission.INTERNET" />
14.     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
15. </manifest>

 

By changing Target API Level to 27, bypass this problem.

 

yeah, Google Play will probably require to target android 9 by this fall.
Thats why I said bypass.
Since I cannot force my client to use Https, I will probably change the manifiest.
Thank you for quick response.

 

Hi,
Same thing for me, it's not possible to switch to HTTPS. At least for now.

Is it possible to add this to the manifest directly from Unity, a checkbox from the player settings maybe?
I tried to add a custom manifest inside the Plugins/Android folder, but for some reasons it doesn't work as expected.

 

Hey, is there anything else i need to do to get this working on my android device ?
I modified the android manifest adding this:

android:usesCleartextTraffic="true"

but the problem persists, i'm getting this symbol � on the www.downloadHandler.text while debugging it on the android device, on Editor it works fine.

 

Unity, why not have a box in the player settings to allow for HTTP clear text to go through (that internally just adds the clear text tag to the manifest)?

I got android:usesCleartextTraffic="true" to work by copying the whole manifest, adding that line and putting it in my project. But between that and setting the API level to 27, I'd rather just use API 27.

HTTPS is the future. Currently, it's idealistic at best.

 

I tried to do the same thing, adding the permission within the manifest. I have now this <application> tag line:

Code (CSharp):

1. <application android:theme="@style/UnityThemeSelector" android:icon="@mipmap/app_icon" android:label="@string/app_name" android:usesCleartextTraffic="true">

Code (CSharp):

1. <uses-permission android:name="android.permission.INTERNET" />

is added too as a seperate tag.

But now the app crashes on every start. Any ideas what I am doing wrong?
According to this link:
https://medium.com/@imstudio/android-8-cleartext-http-traffic-not-permitted-73c1c9e3b803
i have to add the usesCleartextTraffic inside the application tag. I'm sorry if i misunderstood something, i'm not a pro.

Did i place it in the right spot?

 

You can try to just switch Build System gradle to internal.
Thats fixed my error.

 

I was looking for it, to change to intenal... but according to the newest version of Unity it is not available anymore. Or am I wrong?

 

Spent hours trying to debug something like "[Networking] UnityWebRequest.Post returns "Generic/unknown HTTP error""
Made the manifest change and everything instantly worked. At the WebRequest level it gives no indications of it being a problem, and when I originally ported a System.Net's HttpWebRequest solution it worked just fine. Some hint of the underlying problem at the UnityWebRequest error level would help point others in the right direction. Maybe a "Client OS denies network access" error or ... something other than "Unknown Error 0".

 

Also ran into this. I'm surprised unity didn't just put a checkbox on player settings to do this. Given the speed they get to stuff, maybe in 2028.1.3f99

 

This answer safes my LIFE!!!!
It works.

I'm using Unity 2018.4.9f1.

My Manifest Code:
Assets/Plugins/Android/AndroidManifest.xml

Code (CSharp):

1. <?xml version="1.0" encoding="utf-8"?>
2. <manifest ...>
3.     <uses-permission android:name="android.permission.INTERNET" />
4.     <application
5.         ...
6.         android:usesCleartextTraffic="true"
7.         ...>
8.         ...
9.     </application>
10. </manifest>

Then, go to File > Build Settings and changed my Build System to Internal

 

android:usesCleartextTraffic="true" fixed the issue. It was only need for Android Pie+

 

Has anyone succeeded in adding a network_security_config.xml file for whitelisting some urls?

In my case, after creating an Android build, the apk has an empty or default network_security_config.xml instead of the file I already setup. My custom network security config file is stored in Plugins/Android/res/xml/network_security_config.xml in unity.

 

What the hell is wrong with google? not everybody can just switch to https like that, are they stupid? why they like to ruin peoples lives all the time?

 

Switching to internal build system only gives errors, so im basically screwed now because my app cant make a simple internet connection because of this stupid google https bull SH*T requirement. How they have the right to force everybody to use https? what if i dont freeking need that!! I have a investor demo wednesday and i cant make a internet connection now so im screwed.

Code (CSharp):

1.  
2.  
3. Error: Error while saving blame file, build will continue
4. [B]Error: The prefix "tools" for attribute "tools:overrideLibrary" associated with an element type "uses-sdk" is not bound.[/B]
5.  
6. UnityEngine.GUIUtility:ProcessEvent(Int32, IntPtr)
7.  
8. [B]AndroidSDKToolsException: Unable to merge android manifests. [/B]
9. UnityEditor.Android.AndroidSDKTools.DetectErrorsAndWarnings (System.String logMessages, System.String errorMsg) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
10. UnityEditor.Android.AndroidSDKTools.RunCommandInternal (System.String javaExe, System.String sdkToolsDir, System.String[] sdkToolCommand, System.Int32 memoryMB, System.String workingdir, System.String errorMsg) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
11. UnityEditor.Android.AndroidSDKTools.RunCommand (System.String javaExe, System.String sdkToolsDir, System.String[] sdkToolCommand, System.String workingdir, System.String errorMsg, System.Int32 memoryMB) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
12. UnityEditor.Android.AndroidSDKTools.RunSDKToolWithReadLock (System.String[] command, System.String workingdir, System.String errorMsg) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
13. UnityEditor.Android.AndroidSDKTools.MergeManifests (UnityEditor.Android.AndroidJavaTools javaTools, System.String target, System.String mainManifest, System.Collections.Generic.IEnumerable`1[T] libraryManifests) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
14. UnityEditor.Android.PostProcessor.Tasks.GenerateManifest.MergeManifests (UnityEditor.Android.PostProcessor.PostProcessorContext context, System.String mainManifest, System.String targetManifest) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
15. UnityEditor.Android.PostProcessor.Tasks.GenerateManifest.Execute (UnityEditor.Android.PostProcessor.PostProcessorContext context) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
16. UnityEditor.Android.PostProcessor.PostProcessRunner.RunAllTasks (UnityEditor.Android.PostProcessor.PostProcessorContext context) (at <3c0b2fdf8ace4ae49f054e74ca773557>:0)
17. UnityEngine.GUIUtility:ProcessEvent(Int32, IntPtr)
18.  
19.  
20.  

 

It doesnt work, i added that android:usesCleartextTraffic="true" to my manifest and i still cant make http connection, im using API 24. I cant use api 27 because my phone only goes up to 24 (unless i go spend hundreds to buy a new phone) . When i use internal build i get error about manifest cant be merged, so im screwed three ways because of this stupid http requirement that GOD google has placed upon us. I wonder when they will require us to pray to them 5 times a day

 

This worked for me as well. Thank you!!

 

Hello. I have a question, so if we are already using HTTPS should we still have to include this
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<!-- add the list of domains and subdomains you want to address -->
<base includeSubdomains="true">https://xxx.xxxxx.xxx/</base>
</base-config>
</network-security-config>
or
No need and we should remove this android:networkSecurityConfig="@XML/network_security_config" from our AndroidManifest?

 

Nice. Alright, thank you.
However, we do have some devices that still have Unknown Error even we have this config file and we're already using HTTPS. Is it because of the existence of the config file? We're planning to release without the config file thinking that this might fix the problem for those users.

 

Thank you for your response @Aurimas-Cernius . However, the devices that are seeing/getting this kind of error are our players that's why we can not debug further. With our testing devices (with Android6/7/9/10, this problem is not happening but only to some of our users' devices). But we'll try to release with a removed the network security file to know if the problem persists.

We can not build also with Internal since we're having multidex issue.

 

I have the same error. And the solution with the addition of the network_security_config file solved the problem for android 9. But it still does not work on android 10.
I think we need to add something else, just where?

 

So I notice a few things when building my current app...
1) Having android:usesCleartextTraffic="true" in your manifest does not guarantee a fix
2) Something likes to modify the network-security-config at build time; in my case it was removing my domains completely. This probably explains why switching from Gradle to the Internal Build system sometimes solves the problem.

I implemented a hacky fix by deconstructing the APK, editing the network-security-config file manually, and then rebuilding it.

Any bright ideas as to how I might prevent the external build system from breaking my network-security-config?

 

Hello, can you fix this problem or not?

 

So I've been banging my head against the wall for over half a day trying to get this working with streaming video from a website. Doesn't help that I've not touched Android development for some time. In general its pretty straightforward at least once you find the right information, but getting some of the details right tripped me up for a good hour or more what with having to make constant builds to test with.

So here is my AndroidManifest.xml that you place into 'Assets/Plugins/Android/' that is working in Unity 2019.4.f21.

Code (CSharp):

1. <?xml version="1.0" encoding="utf-8"?>
2. <manifest
3.   xmlns:android="http://schemas.android.com/apk/res/android"
4.   package="com.unity3d.player"
5.   xmlns:tools="http://schemas.android.com/tools">
6.   <application
7.     android:usesCleartextTraffic="true"
8.     android:networkSecurityConfig="@xml/network_security_config">
9.     <activity android:name="com.unity3d.player.UnityPlayerActivity"
10.               android:theme="@style/UnityThemeSelector">
11.       <intent-filter>
12.         <action android:name="android.intent.action.MAIN" />
13.         <category android:name="android.intent.category.LAUNCHER" />
14.       </intent-filter>
15.       <meta-data android:name="unityplayer.UnityActivity" android:value="true" />
16.     </activity>
17.   </application>
18. </manifest>

This is the bare minimum manifest that is needed to replace the Unity default one and should allow Unity to add all other settings to it as defined by your PlayerSettings and other plugins. It is based on the Unity default template manifest as found in the editor folder

and crossed referenced with the default manifest produced by an Android build of your project ( as long as you don't already have a custom AndroidManifest in the plugins folder ) that can be grabbed from

What really tripped me up for ages was that i'd accidentally placed the usesCleartextTraffic & networkSecurityConfig within the 'Activity' tag of the xml instead of outside of it.

As for the 'network_security_config.xml' file I used this but with the website domain name instead of example.com

Code (CSharp):

1. <?xml version="1.0" encoding="utf-8"?>
2. <network-security-config>
3.     <domain-config cleartextTrafficPermitted="true">
4.         <domain includeSubdomains="true">example.com</domain>
5.     </domain-config>
6. </network-security-config>

This file needs to go in 'Assets/Plugins/Android/res/xml/' folder.

Couple of notes
When building Unity complains about the 'network_security_config.xml' file/folder as being deprecated and to use 'AAR plug-ins and Android Libraries' system for it instead, but it worked just fine for me so i've not looked into that yet.

Check the logcat to see if you get reports of using the default network security config. If you see that then there is something wrong with your AndroidManifest or the network_security_config.xml. Using AndroidStudio APK Debugging is good for double checking the manifest file.


Hope this helps.

 

A note to help someone not take as long banging their head against the wall as I just did:

Do NOT name your android:networkSecurityConfig "network_sec_config". I found that if I did that, it would always ignore my custom network_sec_config.xml and use a default one. I figured this out by using apktool to unpack the apk and look at the generated files. One I named it something else (network_security_config, but I think anything but network_sec_config would probably work, it worked fine.)

For my part, I wasn't having a problem with UnityWebRequest, but I was with Vuplex's 3D WebView asset. Just having the application cleartextTrafficPermitted="true" didn't work. It showed up that way in the generated manifest even without me specifying it. It wasn't until I added the correct networkSecurityConfig that it worked.

Sidenote: When I did use "network_security_config" as my xml filename, the generated APK contained it AND the stock network_sec_config.xml file. That stock file was never used, but it seems to be hardcoded to generate it.

 

You might forget to add android:usesCleartextTraffic="true" attribute in AndroidManifest file. Also, ensure that internet permission is requested.

So, Click on Player Settings --> Publish Settings --> Check custom manifest template. You can add the android:usesCleartextTraffic="true" in the manifest file like this,

Code (CSharp):

1.  
2. <?xml version="1.0" encoding="utf-8"?>
3. <manifest ...>
4.     <uses-permission android:name="android.permission.INTERNET" />
5.     <application
6.         ...
7.         android:usesCleartextTraffic="true"
8.         ...>
9.         ...
10.     </application>
11. </manifest>
12.  

AndroidManifest.xml

Code (CSharp):

1.  
2. <?xml version="1.0" encoding="utf-8"?>
3. <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.unity3d.player" android:installLocation="preferExternal" android:versionCode="1" android:versionName="1.0">
4.   <supports-screens android:smallScreens="true" android:normalScreens="true" android:largeScreens="true" android:xlargeScreens="true" android:anyDensity="true" />
5.   <uses-permission android:name="android.permission.INTERNET" />
6.   <application android:theme="@style/UnityThemeSelector" android:icon="@drawable/app_icon" android:label="@string/app_name" android:debuggable="true" android:usesCleartextTraffic="true">
7.     <activity android:name="com.unity3d.player.UnityPlayerActivity" android:label="@string/app_name">
8.       <intent-filter>
9.         <action android:name="android.intent.action.MAIN" />
10.         <category android:name="android.intent.category.LAUNCHER" />
11.       </intent-filter>
12.       <meta-data android:name="unityplayer.UnityActivity" android:value="true" />
13.     </activity>
14.   </application>
15. </manifest>

 

Where is this option?