java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-ignored-by-nsc
semgrepAuthor
103
Download Count*
License
Manifest uses both android:usesCleartextTraffic and Network Security Config. The usesCleartextTraffic directive is ignored on Android 7 (API 24) and above if a Network Security Config is present.
Run Locally
Run in CI
Defintion
rules:
- id: manifest-usesCleartextTraffic-ignored-by-nsc
languages:
- generic
message: Manifest uses both `android:usesCleartextTraffic` and Network Security
Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API
24) and above if a Network Security Config is present.
metadata:
category: best-practice
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- android
references:
- https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic
- https://developer.android.com/training/articles/security-config
patterns:
- pattern-either:
- pattern: |
android:usesCleartextTraffic ... android:networkSecurityConfig
- pattern: |
android:networkSecurityConfig ... android:usesCleartextTraffic
- pattern-not-inside: |
<!-- ... -->
severity: INFO
paths:
include:
- "*.xml"
Examples
manifest-security-features.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.example.manifest-test" >
<application
<!-- ruleid: manifest-usesCleartextTraffic-true, manifest-usesCleartextTraffic-ignored-by-nsc -->
android:usesCleartextTraffic="true"
android:networkSecurityConfig="@xml/network_security_config"
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme"
android:fullBackupContent="false"
tools:ignore="GoogleAppIndexingWarning">
<activity
android:name="com.example.networksecurity.MainActivity"
android:label="@string/app_name"
android:theme="@style/AppTheme.NoActionBar">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.example.manifest-test" >
<application
<!-- ok: manifest-usesCleartextTraffic-ignored-by-nsc -->
<!-- ruleid: manifest-usesCleartextTraffic-true -->
android:usesCleartextTraffic="true"
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme"
android:fullBackupContent="false"
tools:ignore="GoogleAppIndexingWarning">
<activity
android:name="com.example.networksecurity.MainActivity"
android:label="@string/app_name"
android:theme="@style/AppTheme.NoActionBar">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.example.manifest-test" >
<application
<!-- ok: manifest-usesCleartextTraffic-true, manifest-usesCleartextTraffic-ignored-by-nsc -->
android:usesCleartextTraffic="false"
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme"
android:fullBackupContent="false"
tools:ignore="GoogleAppIndexingWarning">
<activity
android:name="com.example.networksecurity.MainActivity"
android:label="@string/app_name"
android:theme="@style/AppTheme.NoActionBar">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
Short Link: https://sg.run/5JlX