Android App Rejected - unencrypted network traffic detected

Nicolas_REMY · June 13, 2023, 9:22am

Hi,

My mobile app is built with a Backendless Codeless app (AppID = D7075715-5086-625A-FFAB-39C2F40FB200) and using the Native Mobile App Shell.

Google just rejected my app because:

You have declared that user data is encrypted in transit in your app’s Data safety form and we’ve detected unencrypted network traffic that may carry user data off device.

The unencrypted traffic has been detected going to https://xxx.backendless.app, where xxx is my Backendless subdomain.

Obviously I haven’t been able to get any more detailed information from Google. More specifically, they can’t give me the offending URL being called.

Therefore, my questions are :

How could this be possible? SSL is enabled on that domain!

image1229×213 16.6 KB
How can I debug this issue?
I have inspected traffic when executing flutter run with the Android phone connected to the computer, and all URLs called by mx app seem to be OK. The only call I managed to see fleetingly once was to session_expiration. Could that be a possible explanation?
Is there perhaps a way to build into the shell a blocking mechanism so that only https URLs may be sent?

Thanks for your support.

Here’s the full message from Google:

Nikita_Fedorishchev · June 13, 2023, 10:11am

Hello, @Nicolas_REMY.

When your device was connected to PC with USB you can debug launched webview: chrome://inspect(for android) and with safari for ios.

Regards, Nikita.

Nicolas_REMY · June 13, 2023, 10:26am

Thanks @Nikita_Fedorishchev for this info.

However, as stated above, I haven’t seen any traffic going over unencrypted http. Google did, however - if we believe them.

Do you have any logs which would enable checking if anything was called this morning to https://xxx.backendless.app , where xxx is my Backendless subdomain ?

Marian_Koreniuk · June 13, 2023, 12:59pm

Hello, @Nicolas_REMY

I added logging for your domain via HTTP protocol and also add redirect HTTP to HTTPS to determine who is connecting via HTTP.
Could you carry out the same verification manipulations? And after a while, we will see where the requests are coming from, specifically on HTTP.

Nicolas_REMY · June 13, 2023, 1:16pm

Thanks @Marian_Koreniuk.

It will be very helpful to know if there is any unencrypted HTTP request made, and to what URL. In order to attempt another validation by Google, I will submit another build shortly. If I get another rejection message, I will come back and ask you for the logs.

Also, in the meantime, I searched what the cause may be, and I found the android:usesCleartextTraffic parameter in the Android manifest here:

github.com

Backendless/native-mobile-app-shell/blob/master/android/app/src/main/AndroidManifest.xml#L6


      
          <manifest xmlns:android="http://schemas.android.com/apk/res/android"
              package="com.backendless.native_app_shell">
             <application
                  android:label="native app shell"
                  android:icon="@mipmap/ic_launcher"
                  android:usesCleartextTraffic="true">
                 <meta-data android:name="com.facebook.sdk.ApplicationId" android:value="@string/facebook_app_id"/>
                 <meta-data android:name="com.facebook.sdk.ClientToken" android:value="@string/facebook_client_token"/>
          
          
       <activity android:name="com.facebook.FacebookActivity"
                     android:configChanges="keyboard|keyboardHidden|screenLayout|screenSize|orientation"
                     android:label="@string/app_name" />
                 <activity
                     android:name="com.facebook.CustomTabActivity"
                     android:exported="true">
                     <intent-filter>

It seems that the recommendation from Android is to set it to false by default for modern applications (<application> | Android Developers).

Is there a reason that it is set to true in the Native Mobile App Shell?
May I expect this to solve the issue if modified ?

Nikita_Fedorishchev · June 13, 2023, 1:34pm

Yes, you can try to fix this parameter and check, but I don’t think that will solve the problem. This parameter does not make your http requests as https. If this parameter is set to true, it simply allows you to send http requests without restrictions. Therefore, it defaults to true.
If you don’t need http requests, you can always toggle it and all http requests will be automatically blocked by your application.

Nicolas_REMY · June 13, 2023, 1:39pm

OK thanks, that’s also what I had understood about http requests being blocked.

However, as explained above, my app does not call http requests anywhere. I have checked in the code and the unencrypted server URL does not appear anywhere. So I am pretty sure that no http request is being made.

If there are any other “parasite” requests being made anywhere else, I will gladly block them. I just want the app being accepted as it is!

Nikita_Fedorishchev · June 13, 2023, 1:43pm

If your app doesn’t really make http requests, then Google should have allowed the app to publish. When you change the cleartextTraffic setting to false, I recommend that you thoroughly test the application again before publishing, and check all possible cases, and also use try catch as often as possible. Because if the setting is set to false, then all http requests will cause an error inside the application, which can cause it to crash.

Best Regards, Nikita.

Nicolas_REMY · June 13, 2023, 2:02pm

Thanks for the tip.

In fact I would gladly like the app to crash in order to pinpoint where the supposed http call is made!

Or would you have any other suggestion in order to find it?

I have looked for http: throughout the code, and haven’t found it anywhere.

Nikita_Fedorishchev · June 13, 2023, 2:45pm

Nothing more, just testing and investigating:)
Try to set cleartextTraffic to false and http requests won’t work anymore, so this should fix the google issue.

Nicolas_REMY · June 14, 2023, 7:05am

Hi,

I would just like to follow up on this issue for reference in case others encounter the same situation.

As said above, I set the cleartextTraffic flag to false, and then republished my app.

Unfortunately Google won’t accept a replacement build in Closed or Open Testing if the build it deems offending is still in Production. So I had to take the gamble and replace all builds out there, in Closed, Open Testing AND Production with the new build.

I’m happy to report that my build was accepted. It’s only been a few hours, but up to now, I haven’t noticed any issue in the app. As stated, I am pretty sure there are no unencrypted http requests being made anyhow. And I have a strong feeling that Google was in fact complaining that the cleartextTraffic flag was not being set to false.

In case the issue pops back up (I hope not !), I will return here with an update.