Article sections

    Preventing WebViewGold for Android: Switching usesCleartextTraffic from ‘true to ‘false’

    WebViewGold stands out because of its ability to convert a website or a web app into an Android app quickly and efficiently – no matter if HTTP- or HTTPS-based. However, for maintaining optimal security, for some app use cases, it’s recommended to ensure your WebViewGold-based app doesn’t connect to non-HTTPS site content. This article will guide you on how to modify the usesCleartextTraffic attribute in your AndroidManifest.xml file to prevent unsecured connections.

    BTW, you might also want to check out the independent BLOCK_SELF_SIGNED_AND_FAULTY_SSL_CERTS option in Config.java which blocks content signed with self-signed SSL (user) certificates & faulty SSL certificates.

    Before we delve into how to make the necessary changes, it’s crucial to understand the role of the usesCleartextTraffic attribute in AndroidManifest.xml.

    In Android, the usesCleartextTraffic attribute is a security measure used to dictate whether an app intends to use cleartext network traffic or not. The default value is “true,” which means the app may use clear network traffic. However, if you want to prevent the app from sending or receiving cleartext network traffic, you can set this attribute to “false.”

     

    Why & when set usesCleartextTraffic to ‘false’?

    When usesCleartextTraffic is set to true, your app could interact with insecure websites – those not secured by SSL/TLS, i.e., non-HTTPS sites. Although these sites might appear harmless, they leave your app and its users vulnerable to man-in-the-middle attacks. By switching usesCleartextTraffic to false, you are ensuring that your WebViewGold-based app only interacts with HTTPS site content, which offers an added layer of security.

     

    Modifying usesCleartextTraffic in WebViewGold is easy:

    Changing the usesCleartextTraffic attribute from true to false in the WebViewGold setup is straightforward. Follow these steps:

    1. Open AndroidManifest.xml: In your WebViewGold project, open the AndroidManifest.xml file. This file can usually be found in the ‘app/src/main/’ directory.

    2. Find usesCleartextTraffic attribute:Within the AndroidManifest.xml file, find the <application> element. Inside this element, you will find an attribute called android:usesCleartextTraffic.

    3. Change the attribute value: By default, the value of this attribute is set to “true”. To change it, replace “true” with “false”.

    4. Save your changes:  Once you’ve made the change, save and close the AndroidManifest.xml file.

    5. Build your app: Build your WebViewGold-based app (again). Your app is now configured to block non-HTTPS site content.

    In conclusion, the importance of securing your Android application cannot be overstated for some app use cases. The steps above do help to create a safer environment for your users. However, remember to thoroughly test your app after this modification, as some functionalities might depend on non-HTTPS content and may cease to function as expected.

    You might also want to check out the independent BLOCK_SELF_SIGNED_AND_FAULTY_SSL_CERTS option in Config.java which blocks content signed with self-signed SSL (user) certificates & faulty SSL certificates.

    Happy (no-)coding with WebViewGold!

    in WebViewGold for Android