Circumventing HTTPS Restrictions in Android Development

After targetSDK upgrade to 28, Android forces network requests to use https protocol. On the public server, it’s easy to do, just enable https support. And there is no website that doesn’t support https now, right?

However, this limitation is not so convenient when developing and debugging Android programs on your own computer. Probably Google has taken this into account and provided a method.

First open the local server, assuming it is running on port 3000.

Create a new res/xml/network_security_config.xml file and reference it in AndroidManifest.xml as follows.

1
2
3
4
5
6
7
8
9

<?xml version="1.0" encoding="utf-8"?>
<!-- AndroidManifest.xml -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="your.package.name.here>
    <application
        android:networkSecurityConfig="@xml/network_security_config"
        ....>
        <activity .../>
</manifest>

network_security_config.xml reads as follows

1
2
3
4
5
6
7
8

<?xml version="1.0" encoding="utf-8"?>
<!-- network_security_config.xml -->
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <!-- Configure the domain whitelist here -->
        <domain includeSubdomains="true">localhost</domain>
    </domain-config>
</network-security-config>

Then map the 3000 port of the phone to the 3000 port of the development machine.

1

adb reverse tcp:3000 tcp:3000

Finally, just change the domain name of the service you are accessing in your code to localhost.

Addendum: Although highly discouraged, if you want the whole APP to access any network without this https protocol restriction, you can do this.

1
2
3
4

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true"></base-config>
</network-security-config>