Yesterday, we deployed version nb193a. Prior to this version, we supposed secure connections over HTTPS or non-secure connections over HTTP. As of this version, non-secure connections are now re-routed to a secure connection.
-Jeff
3 Likes
So the clear text traffic warning from the Play Developer console will be gone with that?
I think it's related to the App Inventor site itself, not with apps. Previously the main App Inventor server (ai2.appinventor.mit.edu) can start with both http:// and https://. Now, http:// will be redirected to https://.
1 Like
You will probably be right.
1 Like
Indeed. The warning from the Play Store is about compiled apps. The change I made yesterday is about the App Inventor website itself.
We have been working toward requiring HTTPS for a while now, but the thing that pushed us to do it now is that Google changed Chrome so that unless you were using a page loaded with HTTPS, you could not communicate with "localhost" (127.0.0.1) which is necessary for people using the Emulator.
The change to Chrome is actually quite old, but Google gave us a magic token to put in our headers when you loaded App Inventor that instructed Chrome that we were allowed as an exception. This exception timed out.
As for the Play Store warning. This is because on newer versions of Android, we need to provide a "Network Security Configuration" as a resource. This file instructs the Android operating system which URLs the application is permitted to access.
We provide a configuration that basically says, the app can talk to anywhere, both with or without HTTPS.
Google Play doesn't like this, thus the warning. However, if we were to remove the HTTP permission (aka, require only "secure" HTTPS connections), people would not be able to build apps that communicate with non-secure links, both directly and through a webview.
I'm thinking about perhaps adding a project level settings to control whether HTTP URLs are permitted.
3 Likes