NetworkSecurityPolicy.isCleartextTrafficPermitted EURECOM

[smarek]

We investigated better the Apache HttpComponents HttpClient v4.5 library, as you suggested. We confirm that at the moment, the HttpClient does not support the NetworkSecurityPolicy, since this new feature is only targeting Android, and if we understood correctly, HttpClient is intended to be used also on normal Java project, not necessarily Android. But since yours is an Android library, Android app developers may have the wrong expectations that this library does honor the cleartext settings. With that being said, we saw the patches that you did for the repackaged version of the HttpClient for Android and we believe that the Network Security Policy can be ported on the library through one patch. We investigated better the codebase and we think that the best place to patch is the "doExecute" method or the "InternalHttpClient". When the “scheme” and the "hostname/target" of the connection are available, it is possible to verify if cleartext traffic is permitted for the given hostname/target, by invoking the: NetworkSecurityPolicy.isCleartextTrafficPermitted (String hostname) This API returns a boolean. The boolean can be used to check whether cleartext network traffic is permitted for communicating with hostname for the application. This API is available since API level 24. A more generic API is the isCleartextTrafficPermitted(), which is available since API level 23. We saw that your library is targeting API level >= 23. In case cleartext traffic is not permitted for the given host (or for the entire app), a Runtime Exception should be thrown.

• [ ] Provide optional patch to provide check, if given hostname allows cleartext traffic
• [ ] Investigate whether this will be provided by stock HC4 or HC5 for us to just use it