Setting cleartextTrafficPermitted to FALSE

Currently AppInventor Apps can not be declared as using safe communication (cleartextTrafficPermitted =FALSE).
Requested behavior: On the main screen allow to set cleartextTrafficPermitted to FALSE.
Today security (and especially perceived security) is important.
How difficult is this fix ?.
I know that tough guys do not use neither https nor backups nor root's passwords but please mind us normal ones.

It's the same with Kodular. What exactly is your problem with that?

You can just ignore the warning from Google's Play Developer Console.

Hi Anke,
my understanding is as follows:

  1. Today making public apps that do not use https (TLS1.2+) is not on the discussion table.
  2. As I understand manifest is a governance approach to ensure it is as it should be (blocked) - this is the way security should be handled and the only way to convince users that Android and particular app
    is safe.
  3. I do want to be able to declare (manifest) if app is safe and adheres to today's standards (there will be apps that do not - thus the option to declare it).

And security bugs are Critical or High priority in most organisations/project. The risk I see is getting to the point File component is (our apps will no longer be allowed to Store OR will not run on devices). In 2020 AppInventor promised to look into it and ticket is closed since then without any update.

This is why my question is how complex the fix is - if it is not big we should not discuss it.

Yes. It does not mean we will not follow files-on-API30 path - this is why I believe it should be implemented in but in the cheapest possible way.

Maybe @ewpatton might want to comment this.

Yes, we probably should add this as a configurable option at some point. It was originally set when Android included it because of the fact that we couldn't make any assumptions about whether people's apps used HTTP or not. For example, people connecting to a custom IOT device they are programming probably don't want to go through the trouble of configuring a SSL certificate for it. If you only ever connect to sites using HTTPS in your app (or not even using internet in the app), then having the flag doesn't technically harm you. Now, for people who want to publish their apps through the Play Store that is a different calculus, but the bulk of our users do not do that so it was considered sufficient at the time. I've been thinking about a better way to handle project level properties such as this since the current way of dumping all of the configuration into Screen1 hasn't really scaled.

First of all : thanks for AppInventor - it is just great and I enjoy designing my 1st app with it (second is in the pipeline).
I agree with most of your comments - Screen1 is not elegant but it is cheap (if you do not combine it with other changes). I like Play Store for delivering, sharing and keeping up-to-date apps especially as some are not allowed to upload apks directly.
Best regards, Jakub

What do you mean by that?

Note: APKs can only be uploaded to the Play Store if the app was published there before August 1st, 2021. From August 1, 2021, only AABs will have to be uploaded for new apps.

@ewpatton If you will add option for cleartextTrafficPermitted then please also consider adding network permission option that removes internet permission and wifi state permission please I really want it. Also to avoid adding different options to fulfill user's demand every single time you can also allow users to directly edit manifest before exporting apk/aab, Learn More.

@Anke one can either install app from Play Store or from local device (I meant this one by uploading apk... directly to device)

1 Like

Of course, and ...?

That is all - if u want to install apk from local device not from Google Store u need to allow for such "unsafe" source - some are either reluctant or forbidden. I do not judge that fact (is it security or perceived security).
Thanks for your support and interest.

1 Like

I received the advice "
Clear text traffic allowed for all domains" and my update is "not published".
I'm waiting for a feedback by google :confused:

Most likely for another reason.

Waiting an official answer by them but I think is that.

No, it's just a warning. I got this warning in all my apps published on play store (for years).

Ok I forced in review.. thanks dear

Then let us know how you worded your query and if you actually got a response from Google (which didn't come from a robot :wink:).

I'm curious as I have a lot of experience with Google Developer Support requests.

I have no contact support for this too.
For now I have tried with "good manners" :smiley: only forced in review... :wink: