Android is obligated!to keep users, their devices as well as their data safe. One of the
ways that we keep data secure is by securing the network traffic that enters or leaves
an Android device with Transport Layer Security (TLS).
Android 7 (API level 24) launched the Network Security Configuration in 2016, permit
the app developers to configure the network security policy for their app via a
declarative configuration file. To ensure apps square measure safe, apps targeting
Android nine (API level 28) or higher automatically have a policy set by default that
prevents unencrypted traffic for each domain.
Today, we are happy to indicate that 80% of Android apps are encrypting traffic by
default. The percentage is even greater for apps targeting Android 9 and higher, with
90% of them encrypting traffic by default.
Since November 1 2019, all apps (updates and all new apps on Google Play) must
target at least Android 9. As a consequence, we expect these numbers to continue to
improve. By Default the network traffic that we obtained from these apps is secure &
use of unencrypted connections is the result of an explicit choice by the developer.
The latest releases of Android Studio and Google Play’s pre-launch report warn
developers once their app includes a probably insecure Network Security Configuration
(for example, once they permit unencrypted traffic for all domains or once they settle for
user provided certificates outside of correct mode). This encourages the adoption of
HTTPS across the Android system and ensures that developers are awake to their
What We Should Do To Secure Our App?
For apps targeting Android 9 and higher, the out-of-the-box default is to encrypt all
network traffic in transit and trust only certificates issued by an authority in the standard
Android CA set without requiring any extra configuration. Apps can provide an exception
to this only by including a separate Network Security Config file with carefully selected
If your app needs to allow traffic to certain domains, it can do so by including a Network
Security Config file that only includes these exceptions to the default secure policy.
Keep in mind that you should be cautious about the data received over insecure
connections as it could have been tampered with in transit.
If your app needs to be able to accept user specified certificates for testing purposes
(for example, connecting to a local server during testing), make sure to wrap your
element inside an element. This ensures the connections in the production version of
your app are secure.
What We Can Do Secure Our Library?
If our library directly generates an insecure or secure connection, make sure that it
honors the app’s clear text settings via checking is clear text traffic permitted before
opening any clear text connection.
The built-in networking libraries and other popular HTTP libraries like OkHttp or Volley
have built-in Network Security Config support in Android.