Determine if cleartextTraffic flag is required on Android
Closed this issue ยท 8 comments
My updater (having been enhanced with additional security checks recently) just informed me:
repo/com.hjiangsu.thunder_36.apk declares flags: usesCleartextTraffic
which refers to your definition here. By default, that option is disabled, so it must have been enabled explicitly at one point for some reason. Is that reason still standing (if so, what is it?) โ or can that line be removed? I don't think there's a Lemmy instance out there not secured by HTTPS/SSL, so I'd guess Thunder won't need to make any request using "insecure channels"?
Thanks in advance for clarification!
I managed to trace this down to this PR: #104.
The main reason for keeping this would be if a Lemmy post contains an external link to a HTTP site (or potentially a HTTP link which redirects to its HTTPS counterpart) I believe we might be able to remove this, but users may encounter this issue in the future (although it might be rare)
Is it possible that that error was specifically related to the fact that we were loading and rendering web page links in-app using WebView? And now that we mainly just support embedded or external browsers, we'd push the burden on them to enforce/redirect insecure requests?
Is it possible that that error was specifically related to the fact that we were loading and rendering web page links in-app using WebView?
I think that might've been the case. I'm not sure if this issue will still happen with the custom_tabs, or if custom_tabs understands to automatically redirect HTTP -> HTTPS
if custom_tabs understands to automatically redirect
My understanding is that custom tabs isn't doing anything except to invoke that feature in your default browser. It should be up to Firefox/Chrome/Safari to either redirect or show an appropriate warning.
I'd be tempted to take out this line, especially if it's a requirement for Izzy (or to avoid a bad label ๐), and see what happens.
It's not a strict requirement โ this is just a "warning" that something might be not as it should. If there's a good reason to need the flag, I can put it on the allow-list for Thunder. So take your time to make sure you really don't need it before removing it. Nothing is "handed up" for display yet, currently it's just "internal handling" (to detect possible "dangerous" things and report them to the corresponding app authors to check). At some later point I might make this visible to visitors of the app's page on my website, but that's unlikely to happen very soon. First all checks need to be in place and confirmed working as intended, which will at least take until spring.
What we can do here is release a nightly build with this change to see if it affects anyone on the using those builds. From here, we'll get a good sense of whether or not usesCleartextTraffic is needed.
I don't expect to be releasing a general build anytime soon (~1 month) so that should give us enough data to go off of! I'll rename this issue to a more suitable title
usesCleartextTraffic has now been removed from the pre-releases and the general releases with 0.2.9. I'll close this issue but feel free to comment on here if there is anything else that needs to be addressed!
Thanks! Confirmed it gone:
If you want to let that DEPENDENCY_INFO_BLOCK disappear as well:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it โ and nobody else can even verify what it really contains.