Ошибка net err cleartext not permitted

How goes your app’s development? Are you receiving the error message “net::err_cleartext_not_permitted”? Well, good thing this article contains four great solutions to solve your Android Webview issue. We’ll cover what this error means and how you can solve the root problem. Continue reading below for some useful background information, causes of this error, and of course, the solutions.

What is Android Webview?

Android is an operating system with 87% of the global market share for mobile devices. As a result, Android applications can reach a much larger audience than applications designed for Apple. Additionally, it’s more difficult to be approved on Apple’s App Store than Google Play. For this reason, many application developers opt to focus on Android development.

Android WebView is a view used by developers to include functional web content into their applications. Android WebView isn’t a fascinating component, but it’s an integral Android development tool. Android WebView now updates independently of Android, and Google recommends all users update WebViews as updates become available. One downside to Webview is that any major outages or update issues will be experienced on any apps developed to use Webview. To prevent security issues, users should keep their Android operating system updated, as patches are no longer rolled out for Android version 4.3 and below.

On any Android phone, Webview is the only method to view content on the internet outside of a web browser. To contain all user actions within an application, a developer can implement Webview. For example, when a user clicks a link inside an application, the site will be loaded within the application instead of opening a pop-up web browser.

Cleartext is any information that has not been encrypted. As such, there is no need to decrypt the data to read it. Cleartext differs from plaintext, which is just plain language that might have been encrypted at some point. Information sent over the internet using cleartext can be subject to malicious attacks. The cleartext information may be stolen or manipulated.

To prevent tampering and other malicious activity, especially as cleartext data interacts with third-party servers, Google decided to disable cleartext information by default. Google implemented this change on Android 9 (API 28).

Note: Android 9 Pie was released on August 6th, 2018. Currently, the Android operating system is on version 11 (API 30).

Cleartext is typically sent over an HTTP (hypertext transfer protocol) URL. Following the Android 9 update, all applications using Android Webview should use HTTPS; otherwise, the system will throw the net::err_cleartext_not_permitted error. In short, this error will appear to users of your application because of Android’s network security configuration when accessing HTTP URLs.

How to solve the net::err_cleartext_not_permitted Android Webview error

Developers can solve the net::err_cleartext_not_permitted Android Webview error by allowing only HTTPS URLs in their application. Any website with a valid SSL certificate can be accessed using HTTPS. Therefore, you need to remove all unsecured URLs and force HTTPS for all websites.

Before proceeding to solutions to force HTTPS, you’ll learn a quick workaround. This option is available if you are unable to force all connections:

1. Edit AndroidManifest.xml

All Android applications will have an AndroidManifest.xml file. This file contains vital information about your application, such as activities and services. AndroidManifest.xml also provides permissions for protected parts of the application and declares the application’s Android API.

You are going to edit the application subelement (within manifest). You will be adding a simple application tag.

Warning: This workaround should only be a temporary fix, as it will compromise your user’s data integrity due to the major vulnerability posed by cleartext data over HTTP URLs.

Here is how to edit the AndroidManifes.xml:

1. Find AndroidManifest.xml file in application folder at:
   android/app/src/main/AndroidManifest.xml
2. Locate the application subelement.
3. Add the following tag:
   android:usesCleartextTraffic=”true”
4. The application subelement should now look like:

<application
    android:name=”io.flutter.app.Test”
    android:label=”bell_ui”
    android:icon=”@mapmap/ic_launcher”
    android:usesCleartextTraffic=”true”>

1. Save the AndroidManifest.xml file.

The following two solutions will involve forcing HTTPS on either WordPress or HTML/PHP sites. If you are building an Android application to accompany a web application (there are many reasons to develop a native app), then you will anticipate much overlap in URLs. You can edit your website to force HTTPS usage as long as you have an SSL certificate installed.

2. Force HTTPS for WordPress Sites

To force HTTPS on a WordPress site, you will need to edit the .htaccess file. The .htaccess file is involved in managing redirects and permalinks.

1. Login to your WordPress admin dashboard.
2. Select Settings and then General from the left-hand dashboard.

1. Locate WordPress Address (URL) and Site Address (URL) and make sure these URLs are HTTPS. Your site will need an SSL certificate for this. 
2. Now, you will need access to a file manager through FTP or cPanel to edit your WordPress files. There are alternative options, such as plugins that can also provide this functionality. Locate the .htaccess file within the root folder and Open the file.

1. Within this file locate # BEGIN WordPress. This is the start of the WordPress rules that you are going to edit. Replace that entire section, ending with # END WordPress, with the following text. Be sure to replace the XXXX with your own domain name but do not rearrange the text in any other way:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]

# Rewrite HTTP to HTTPS
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://XXXX.com/$1 [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

1. Make sure to save your changes to the .htaccess file.

3. Force HTTPS for HTML/PHP Sites

1. Open FTP or cPanel and access the root directory for your site.
2. If you are in cPanel you can click the + File button on the top toolbar. In FTP you can right-click inside the root directory and select Create new file. Create a file called .htaccess.

cPanel:

FTP:

1. Now open the .htaccess file that was created in the root directory.
2. If your site uses a www address then add the following block of code to your .htaccess file:

RewriteEngine On

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

1. If your site uses a non-www address then add the following block of code to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^(www.)(.+) [OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www.)?(.+)
RewriteRule ^ https://%2%{REQUEST_URI} [R=301,L]

1. If your site uses PHP you will also need to update your PHP Config file, site URL, and base URL variables.

4. Edit network_security_config.xml

This next solution is available for applications using Android version 7 or above. The network_security_config.xml file allows developers to edit the network security configuration to suit their application’s needs. You can edit this file to allow a specific domain name to bypass the security rules. Network traffic using this domain would not trigger the net::err_cleartext_not_permitted error.

To add a domain to the whitelist:

1. Inside your Android application folder, add a file named network_security_config.xml at the following location:
   res/xml/
2. Add the following domain configuration text. Make sure to change the your_domain.com part to your website’s address.

<?xml version=”1.0″ encoding=”utf-8″?>
<network-security-config>
    <domain-config cleartextTrafficPermitted=”true”>
        <domain includeSubdomains=”true”>your_domain.com</domain>
    </domain-config>
</network-security-config>

1. Save the changes to the network_security_config.xml file.
2. Find AndroidManifest.xml file in the application folder at:
   android/app/src/main/AndroidManifest.xml
3. Locate the application subelement.
4. Add the following text to specify the path to the network security configuration file:

<application

    android:name=”.DemoApp”
    android:networkSecurityConfig=”@xml/network_security_config”

net::err_cleartext_not_permitted Android Webview error solved

Android Webview is an excellent system component for any Android developer to have in their toolkit. Webview allows a developer to display web content, like your own or a third-party website, within the native application. If Webview is not used, the only method to display web content involves a disruption in the usage of the application. A browser, a completely different application, will open. Once a user leaves your application, they may never return. This can result in less traffic, ad revenue, and sales.

If you followed the solutions above, you would have edited your application’s AndroidManifest.xml file to add an exception for cleartext traffic. You have created and edited a network_security_config.xml file to whitelist a specific domain for cleartext network traffic.

If you are developing an application with significant URL overlap as a web application, then solutions 2 and 3 are especially useful. You learned how to force the use of HTTPS for either a WordPress or an HTML/PHP web application. It is done by editing the .htaccess file using cPanel or FTP.

If you would like to learn more about Android Network Security configuration and specifically cleartext traffic rules, you can do so here.

If you want to learn more about Android Webview, you can do so here. The documentation is excellent, and you will have a far better understanding of Android Webview if you read the documentation. As you learned above, there are some constraints associated with Webview.

You might also experience related Android WebView errors while building your app. However, there is no need to worry because we have covered the other common WebView error message, err_unknown_url_scheme, in a separate article.

Android WebView is a system component powered by Chrome that allows Android apps to display web content. In other words, WebView is an embeddable browser that a native application can use to display web content.

One of the most common uses for a WebView is to display the contents of a link inside an app without leaving it. In recent Android versions, you might sometimes see ERR_CLEARTEXT_NOT_PERMITTED error if you try to open an unsecured URL (usually a HTTP URL).

Below is a screenshot of the error.

The very same unsecured URLs can be opened in Chrome, Edge or any dedicated browser just fine, which could cause confusion across new developers.

This article will explain why ERR_CLEARTEXT_NOT_PERMITTED happens, and what you can do to fix it.

Why does ERR_CLEARTEXT_NOT_PERMITTED happens?

Cleartext is any transmitted or stored information that is not encrypted or meant to be encrypted.
Anything that is transferred in unsecured URL can be categorized as cleartext information. Those information can be eavesdropped or tampered by a malicious third party. In rare cases, they can launch an attack directed towards your device or leaking your personal information.

Starting from Android 9.0 (API level 28), Google has decided to phase out support for cleartext network protocols in the WebView. Any attempt to access a non-HTTPS URL will raise ERR_CLEARTEXT_NOT_PERMITTED error.

The proper solution for this error is to simply use HTTPS URLs for all of your endpoints and remove all unsecured URLs from your codebase.

Workaround to avoid ERR_CLEARTEXT_NOT_PERMITTED

If you don’t have access to the infrastructure to force every connection to use HTTPS, you can try the adding the flag android:usesCleartextTraffic="true" into AndroidManifest.xml.

First you need to edit the Android Manifest file at android/app/src/main/AndroidManifest.xml and add the following line into the application tag.

android:usesCleartextTraffic="true"
Code language: JavaScript (javascript)

The file after the changes would look something like this :
BEFORE

<application
        android:name="io.flutter.app.Test"
        android:label="bell_ui"
        android:icon="@mapmap/ic_launcher">
Code language: HTML, XML (xml)

AFTER

<application
        android:name="io.flutter.app.Test"
        android:label="bell_ui"
        android:icon="@mapmap/ic_launcher"
       android:usesCleartextTraffic="true">
Code language: HTML, XML (xml)

The workaround might be good for testing and debugging. However, it leaves a big security hole and opens a threat to data integrity.

Android 7+ ERR_CLEARTEXT_NOT_PERMITTED solution

Another better solution introduced from Android 7.0 is to configure the network_security_config.xml file. You can read more about it in Google’s Network security configuration page.

Basically, network_security_config.xml allows you to whitelist a domain from the global security rules. Therefore, the traffic comes to and from that domain would not be raise ERR_CLEARTEXT_NOT_PERMITTED.

First, you need to create a file in res/xml/ and name it network_security_config.xml.

Then you need to add a domain configuration block and set cleartextTrafficPermitted flag to true so it would look like this.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">your_domain.com</domain>
    </domain-config>
</network-security-config>



  


                       
  



Code language: HTML, XML (xml)

After that, you need to spcify the path to your network security config file under your AndroidManifest so it would look like below :

<application
    android:name=".DemoApp"
    android:networkSecurityConfig="@xml/network_security_config"
...
Code language: HTML, XML (xml)

We hope that the solutions above help you solve your problem. Please note that the proper way to fix the error is using a secure network traffic protocol rather than a cleartext one.

We’ve also written a few other guides on fixing common Chrome error messages, such as How to fix ERR_SSL_PROTOCOL_ERROR and ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION that you may want to check out.

Opening URL inside any Android Application will use Android Webview and for some URLs, you might encounter ERR_CLEARTEXT_NOT_PERMITTED Error. The error should look similar to the below image.

So what this exactly mean?

Cleartext is any transmitted or stored information that is not encrypted or meant to be encrypted. When an app communicates with servers using a cleartext network traffic, such as HTTP, it could raise the risk of eavesdropping and tampering of content. Third parties can inject unauthorized data or leak information about the users. That is why developers are encouraged to secure traffic only, such as HTTPS. Starting with Android 9.0 (API level 28), cleartext support is disabled by default. Due to security purposes URL without HTTPS will throw err_cleartext_not_permitted error whenever an application uses it in the Android webview.

There’s an easy solution to fix err_cleartext_not_permitted error and i.e. don’t use insecure URLs. It is recommended to force HTTPs on your websites and remove all the insecure URLs i.e. non-HTTPs from the application. You will find the following guides helpful in forcing HTTPs on your websites.

Force HTTPS for WordPress websites by .htaccess 

Force HTTPS on the HTML/PHP Websites using .htaccess

We hope the above guides help you to fix err_cleartext_not_permitted error for the insecure URLs.

Android Application Code Fix

If you are an application developer and facing the issue then this can be fixed by adding android:usesCleartextTraffic="true" flag in the AndroidManifest.xml file under the application block.

Open the android manifest file (android/app/src/main/AndroidManifest.xml) and add the following into the application tag.

android:usesCleartextTraffic="true"

Find an example below to add the flag correctly.

Before Code

<application
        android:name="io.flutter.app.Test"
        android:label="ginger_ui"
        android:icon="@mipmap/ic_launcher">

After Code (changes/addition in bold)

<application
        android:name="io.flutter.app.Test"
        android:label="ginger_ui"
        android:icon="@mipmap/ic_launcher"
       android:usesCleartextTraffic="true">

Adding the above flag will start accepting the non-HTTPs Traffic in the app and fix err:ERR_CLEARTEXT_NOT_PERMITTED error.  But still at the end of the day, better to use secure network traffic rather than cleartext.

Feel free to reach us out if you need kind of assistance with any technical queries. Shoot us an email at technical@basezap.com, and our professional experts will get in touch with you.