-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Description
Add a test in MASVS-NETWORK-1 for usesCleartextTraffic in AndroidManifest:
https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic
This flag is honored on a best-effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them. For example, there's no expectation that the Socket API will honor this flag because it cannot determine whether its traffic is in cleartext. However, most network traffic from applications is handled by higher-level network stacks/components, which can honor this flag by either reading it from ApplicationInfo.flags or NetworkSecurityPolicy.isCleartextTrafficPermitted().
Note: WebView honors this attribute for applications targeting API level 26 and higher.
This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present.