Network security config file

Is anyone able to tell me a little bit about the network security config file and how (or even if I should) be editing it?

I’m having real problems today (all of a sudden) in my app where my HTTP calls are not working on Android devices (well, at least not on the Android 10 device I am testing with today). I have googled like made today and seen seen several posts claiming that you need clearTextTrafficPermitted and includeSubDomains in the network security config file i.e something like:

<?xml version="1.0" encoding="utf-8"?>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">localhost</domain>
        <domain includeSubdomains="true">(my domain)</domain>

Do I need to create that file in Android Studio or do I edit the file in the resources/android/xml folder?

And more to the point should I have to do this at all? I have tried adding my domain in the file but it made no difference - unless I was doing it wrong or in the wrong place.


Is there any way you can use an https endpoint here? Even if it means inserting a proxy, I would think that doing so would futureproof your app, increase your users’ security, and likely obviate the need for your immediate concern.

Hi. I’m not exactly sure what you mean but I know from all your forum posts you know what you are talking about. I was actually asking about how and where I edit that file - do I insert the file into the project in Android Studio or do I edit it in the Ionic project folder? What did you mean about using a proxy ? (Thanks for answering). This Android HTTP issue has driven crazy today and I‘m a bit confused as to why it’s not working.

I get that, but my primary goal is to help you solve this without touching that file.

Google and Apple are attempting to get all apps running on their platforms using HTTPS instead of unencrypted HTTP for user security reasons, and that’s a good thing. In Android’s case, mandated HTTPS usage went from opt-in in API 27 to opt-out in API 28 (Android 9), which would explain why something that used to work for you suddenly stopped doing so.

If you just use https endpoints for all your network requests, everything should again just work, and I would consider that the optimal solution. Ordinarily this is very easy, if you control any backends - you just get an SSL cert (I use letsencrypt) and away you go. If you don’t control the backend, and whoever does isn’t willing or able to add SSL support, then another option would be to make a proxy somewhere out on the internet that does support HTTPS, have your app talk to it instead of the real backend, and then have the proxy reroute requests over ordinary HTTP to the actual backend. It’s not a great solution, especially for scalability, but it’s better than nothing.

All that being said, I think if you do end up having to edit anything, it is likely to be AndroidManifest.xml. See this thread.

1 Like

Great, thank you so much for that. All the calls are https so I’m wondering if this is perhaps a server issue in which case I will have to wait until the morning to get someone to check things out. Thanks for your help. I agree with you entirely about not making these changes which is why I asked really.

This is very puzzling as all my calls are https and I tried your server check link and the server got an A+ rating. I’ve no idea why the calls are failing (web and iOS are all fine). I’ll have to look again tomorrow with a fresher brain! Thanks again.

I’ve just tested out my Ionic 3 app on the same Android 10 device pointing at the same server and it works fine. So it’s something in my Ionic 5 project that’s making it go wrong even though I have removed and re-added the Android platform.

I had this problem going from Ionic 3 to 5 and it ended up being my proxy settings since that changed significantly from those versions. I had to create a proxy.config.json in my root with the following in it:

	"/api/*": {
		"target": "",
		"secure": false,
		"pathRewrite": {
		  "^/api": ""
		"changeOrigin": true,
		"logLevel": "debug"

Then in my angular.json file i specify it under serve:

"serve": {
          "builder": "@angular-devkit/build-angular:dev-server",
          "options": {
            "browserTarget": "app:build",
            "proxyConfig": "src/proxy.conf.json"

Note this is for running in browser. For Device just using worked with HttpClient like so switching out the url based on --prod build setting:

updateToNetwork(payload: UserModel): Observable<UserModel> {
    const apiUrl = environment.serverURL + `users/${payload.UID}`;
    return this.http.put<UserModel>(apiUrl, payload).pipe(