According to Network security configuration –
Starting with Android 9 (API level 28), cleartext support is disabled
by default.
Also have a look at Android M and the war on cleartext traffic
Codelabs explanation from Google
Option 1 –
First try hitting the URL with https://
instead of http://
Option 2 –
Create file res/xml/network_security_config.xml
–
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">api.example.com(to be adjusted)</domain>
</domain-config>
</network-security-config>
AndroidManifest.xml
–
<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
<uses-permission android:name="android.permission.INTERNET" />
<application
...
android:networkSecurityConfig="@xml/network_security_config"
...>
...
</application>
</manifest>
Option 3 –
android:usesCleartextTraffic Doc
AndroidManifest.xml
–
<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
<uses-permission android:name="android.permission.INTERNET" />
<application
...
android:usesCleartextTraffic="true"
...>
...
</application>
</manifest>
Also as @david.s’ answer pointed out android:targetSandboxVersion
can be a problem too –
According to Manifest Docs –
android:targetSandboxVersion
The target sandbox for this app to use. The higher the sandbox version
number, the higher the level of security. Its default value is 1; you
can also set it to 2. Setting this attribute to 2 switches the app to
a different SELinux sandbox. The following restrictions apply to a
level 2 sandbox:
- The default value of
usesCleartextTraffic
in the Network Security Config is false.- Uid sharing is not permitted.
So Option 4 –
If you have android:targetSandboxVersion
in <manifest>
then reduce it to 1
AndroidManifest.xml
–
<?xml version="1.0" encoding="utf-8"?>
<manifest android:targetSandboxVersion="1">
<uses-permission android:name="android.permission.INTERNET" />
...
</manifest>