Insecure HTTP connections are disabled by default on iOS and Android Flutter-CodePudding

I need to allow all HTTP for all requests in my code.

The code works fine in debug and release mode for the apk, but it doesn't work when I upload it to Google play as bundle.aab

1- I created network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

2- add to AndroidManifest/application

 <application
  android:usesCleartextTraffic="true"
  android:networkSecurityConfig="@xml/network_security_config"
......
  >

3- add meta-data to application

<application 
......>
.....
<meta-data android:name="io.flutter.network-policy"
 android:resource="@xml/network_security_config"/>
 </application>

4- add the permission

<uses-permission android:name="android.permission.INTERNET"/>

CodePudding user response：

You should https but if you still want to use http protocol then add the following to your Info.plist file in iOS:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Also for android add this entry in AndroidManifest.xml file:

<application
  ...
  android:usesCleartextTraffic="true">
  ...
</application>

CodePudding user response：

By default, Flutter disables insecure HTTP connections on iOS and Android to improve security and prevent man-in-the-middle attacks. However, if you need to allow insecure HTTP connections for testing or other purposes, you can do so by using the http package's BadCertificateCallback function.

To allow insecure HTTP connections in your Flutter app, you can do the following:

Import the http package and the dart:io library:

import 'package:http/http.dart' as http;
import 'dart:io';

Create a function that returns true for any certificate that should be allowed. For example, the following function allows any certificate:

bool allowInsecureCertificates(X509Certificate cert, String host, int port) {
  return true;
}

Use the http.Client constructor and pass the allowInsecureCertificates function as the onBadCertificate parameter to create an HTTP client that allows insecure certificates:

final client = http.Client(onBadCertificate: allowInsecureCertificates);

Use the client to make HTTP requests as needed. For example:

final response = await client.get('http://insecure-server.com/data');

Keep in mind that allowing insecure HTTP connections can compromise the security of your app and the data it handles. It is generally not recommended to allow insecure HTTP connections in production environments. Instead, you should use secure HTTPS connections to protect the integrity and confidentiality of your data.

CodePudding user response：

Is it any specific domain you are trying to call?

You can try adding the <domain-config> tag, if you know which domain you might be using. There is a section on Android documentation, if you want to force the system to use only secure connections here.

But you can try changing some values in that to see if disabling those force items can solve your problem.

Try something like this.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
   <domain-config cleartextTrafficPermitted="true">
      <domain includeSubdomains="true">network.domain.com</domain>
   </domain-config>
</network-security-config>

But this is only for Android.