How can I debug this issue?
I have inspected traffic when executing flutter run with the Android phone connected to the computer, and all URLs called by mx app seem to be OK. The only call I managed to see fleetingly once was to session_expiration. Could that be a possible explanation?
Is there perhaps a way to build into the shell a blocking mechanism so that only https URLs may be sent?
I added logging for your domain via HTTP protocol and also add redirect HTTP to HTTPS to determine who is connecting via HTTP.
Could you carry out the same verification manipulations? And after a while, we will see where the requests are coming from, specifically on HTTP.
It will be very helpful to know if there is any unencrypted HTTP request made, and to what URL. In order to attempt another validation by Google, I will submit another build shortly. If I get another rejection message, I will come back and ask you for the logs.
Also, in the meantime, I searched what the cause may be, and I found the android:usesCleartextTraffic parameter in the Android manifest here:
Yes, you can try to fix this parameter and check, but I don’t think that will solve the problem. This parameter does not make your http requests as https. If this parameter is set to true, it simply allows you to send http requests without restrictions. Therefore, it defaults to true.
If you don’t need http requests, you can always toggle it and all http requests will be automatically blocked by your application.
OK thanks, that’s also what I had understood about http requests being blocked.
However, as explained above, my app does not call http requests anywhere. I have checked in the code and the unencrypted server URL does not appear anywhere. So I am pretty sure that no http request is being made.
If there are any other “parasite” requests being made anywhere else, I will gladly block them. I just want the app being accepted as it is!
If your app doesn’t really make http requests, then Google should have allowed the app to publish. When you change the cleartextTraffic setting to false, I recommend that you thoroughly test the application again before publishing, and check all possible cases, and also use try catch as often as possible. Because if the setting is set to false, then all http requests will cause an error inside the application, which can cause it to crash.
I would just like to follow up on this issue for reference in case others encounter the same situation.
As said above, I set the cleartextTraffic flag to false, and then republished my app.
Unfortunately Google won’t accept a replacement build in Closed or Open Testing if the build it deems offending is still in Production. So I had to take the gamble and replace all builds out there, in Closed, Open Testing AND Production with the new build.
I’m happy to report that my build was accepted. It’s only been a few hours, but up to now, I haven’t noticed any issue in the app. As stated, I am pretty sure there are no unencrypted http requests being made anyhow. And I have a strong feeling that Google was in fact complaining that the cleartextTraffic flag was not being set to false.
In case the issue pops back up (I hope not !), I will return here with an update.