My mobile app is built with a Backendless Codeless app (AppID = D7075715-5086-625A-FFAB-39C2F40FB200) and using the Native Mobile App Shell.
Google just rejected my app because:
You have declared that user data is encrypted in transit in your app’s Data safety form and we’ve detected unencrypted network traffic that may carry user data off device.
The unencrypted traffic has been detected going to https://xxx.backendless.app, where xxx is my Backendless subdomain.
Obviously I haven’t been able to get any more detailed information from Google. More specifically, they can’t give me the offending URL being called.
Therefore, my questions are :
How could this be possible? SSL is enabled on that domain!
How can I debug this issue?
I have inspected traffic when executing flutter run with the Android phone connected to the computer, and all URLs called by mx app seem to be OK. The only call I managed to see fleetingly once was to session_expiration. Could that be a possible explanation?
Is there perhaps a way to build into the shell a blocking mechanism so that only https URLs may be sent?
However, as stated above, I haven’t seen any traffic going over unencrypted http. Google did, however - if we believe them.
Do you have any logs which would enable checking if anything was called this morning to https://xxx.backendless.app , where xxx is my Backendless subdomain ?
I added logging for your domain via HTTP protocol and also add redirect HTTP to HTTPS to determine who is connecting via HTTP.
Could you carry out the same verification manipulations? And after a while, we will see where the requests are coming from, specifically on HTTP.
It will be very helpful to know if there is any unencrypted HTTP request made, and to what URL. In order to attempt another validation by Google, I will submit another build shortly. If I get another rejection message, I will come back and ask you for the logs.
Also, in the meantime, I searched what the cause may be, and I found the android:usesCleartextTraffic parameter in the Android manifest here:
It seems that the recommendation from Android is to set it to false by default for modern applications (<application> | Android Developers).
Is there a reason that it is set to true in the Native Mobile App Shell?
May I expect this to solve the issue if modified ?
Yes, you can try to fix this parameter and check, but I don’t think that will solve the problem. This parameter does not make your http requests as https. If this parameter is set to true, it simply allows you to send http requests without restrictions. Therefore, it defaults to true.
If you don’t need http requests, you can always toggle it and all http requests will be automatically blocked by your application.
OK thanks, that’s also what I had understood about http requests being blocked.
However, as explained above, my app does not call http requests anywhere. I have checked in the code and the unencrypted server URL does not appear anywhere. So I am pretty sure that no http request is being made.
If there are any other “parasite” requests being made anywhere else, I will gladly block them. I just want the app being accepted as it is!
If your app doesn’t really make http requests, then Google should have allowed the app to publish. When you change the cleartextTraffic setting to false, I recommend that you thoroughly test the application again before publishing, and check all possible cases, and also use try catch as often as possible. Because if the setting is set to false, then all http requests will cause an error inside the application, which can cause it to crash.
Nothing more, just testing and investigating:)
Try to set cleartextTraffic to false and http requests won’t work anymore, so this should fix the google issue.
I would just like to follow up on this issue for reference in case others encounter the same situation.
As said above, I set the cleartextTraffic flag to false, and then republished my app.
Unfortunately Google won’t accept a replacement build in Closed or Open Testing if the build it deems offending is still in Production. So I had to take the gamble and replace all builds out there, in Closed, Open Testing AND Production with the new build.
I’m happy to report that my build was accepted. It’s only been a few hours, but up to now, I haven’t noticed any issue in the app. As stated, I am pretty sure there are no unencrypted http requests being made anyhow. And I have a strong feeling that Google was in fact complaining that the cleartextTraffic flag was not being set to false.
In case the issue pops back up (I hope not !), I will return here with an update.