Merge "Document that WebView doesn't honor "uses cleartext traffic" flag."

     * (e.g., HTTP rather than HTTPS; WebSockets rather than WebSockets Secure; XMPP, IMAP, STMP

     * without STARTTLS or TLS). If {@code false}, the app declares that it does not intend to use

     * cleartext network traffic, in which case platform components (e.g., HTTP stacks,

     * {@code WebView}, {@code DownloadManager}, {@code MediaPlayer}) will refuse app's requests to

     * use cleartext traffic. Third-party libraries are encouraged to honor this flag as well.

     * {@code DownloadManager}, {@code MediaPlayer}) will refuse app's requests to use cleartext

     * traffic. Third-party libraries are encouraged to honor this flag as well.

     *

     * <p>NOTE: {@code WebView} does not honor this flag.

     *

     * <p>This flag comes from

     * {@link android.R.styleable#AndroidManifestApplication_usesCleartextTraffic

     * android:usesCleartextTraffic} of the <application> tag.

     */

    public static final int FLAG_USES_CLEARTEXT_TRAFFIC = 1<<27;

     * without TLS or STARTTLS) is permitted for this process.

     *

     * <p>When cleartext network traffic is not permitted, the platform's components (e.g. HTTP and

     * FTP stacks, {@link android.webkit.WebView}, {@link android.app.DownloadManager},

     * {@link android.media.MediaPlayer}) will refuse this process's requests to use cleartext

     * traffic. Third-party libraries are strongly encouraged to honor this setting as well.

     * FTP stacks, {@link android.app.DownloadManager}, {@link android.media.MediaPlayer}) will

     * refuse this process's requests to use cleartext traffic. Third-party libraries are strongly

     * encouraged to honor this setting as well.

     *

     * <p>This flag is honored on a best effort basis because it's impossible to prevent all

     * cleartext traffic from Android applications given the level of access provided to them. For

     * because it cannot determine whether its traffic is in cleartext. However, most network

     * traffic from applications is handled by higher-level network stacks/components which can

     * honor this aspect of the policy.

     *

     * <p>NOTE: {@link android.webkit.WebView} does not honor this flag.

     */

    public boolean isCleartextTrafficPermitted() {

        return libcore.net.NetworkSecurityPolicy.isCleartextTrafficPermitted();

         WebSockets rather than WebSockets Secure; XMPP, IMAP, STMP without STARTTLS or TLS.

         Defaults to true. If set to false {@code false}, the application declares that it does not

         intend to use cleartext network traffic, in which case platform components (e.g. HTTP

         stacks, {@code WebView}, {@code MediaPlayer}) will refuse applications's requests to use

         cleartext traffic. Third-party libraries are encouraged to honor this flag as well. -->

         stacks, {@code DownloadManager}, {@code MediaPlayer}) will refuse applications's requests

         to use cleartext traffic. Third-party libraries are encouraged to honor this flag as well.

         -->

    <attr name="usesCleartextTraffic" format="boolean" />

    <!-- Declare that code from this application will need to be loaded into other

             HTTPS; WebSockets rather than WebSockets Secure; XMPP, IMAP, STMP without STARTTLS or

             TLS). Defaults to true. If set to false {@code false}, the application declares that it

             does not intend to use cleartext network traffic, in which case platform components

             (e.g. HTTP stacks, {@code WebView}, {@code MediaPlayer}) will refuse applications's

             requests to use cleartext traffic. Third-party libraries are encouraged to honor this

             flag as well. -->

             (e.g. HTTP stacks, {@code DownloadManager}, {@code MediaPlayer}) will refuse

             applications's requests to use cleartext traffic. Third-party libraries are encouraged

             to honor this flag as well. -->

        <attr name="usesCleartextTraffic" />

        <attr name="multiArch" />

        <attr name="extractNativeLibs" />

The default value is {@code "true"}.

<p>When the attribute is set to {@code "false"}, platform components (for example, HTTP and FTP

stacks, {@link android.webkit.WebView}, {@link android.app.DownloadManager},

{@link android.media.MediaPlayer}) will refuse the app's requests to use cleartext traffic.

Third-party libraries are strongly encouraged to honor this setting as well. The key reason for

avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against

tampering: a network attacker can eavesdrop on transmitted data and also modify it without being

detected.

stacks, {@link android.app.DownloadManager}, {@link android.media.MediaPlayer}) will refuse the

app's requests to use cleartext traffic. Third-party libraries are strongly encouraged to honor this

setting as well. The key reason for avoiding cleartext traffic is the lack of confidentiality,

authenticity, and protections against tampering: a network attacker can eavesdrop on transmitted

data and also modify it without being detected.

<p>This flag is honored on a best effort basis because it's impossible to prevent all cleartext

traffic from Android applications given the level of access provided to them. For example, there's

from {@link android.content.pm.ApplicationInfo#flags ApplicationInfo.flags} or

{@link android.security.NetworkSecurityPolicy#isCleartextTrafficPermitted() NetworkSecurityPolicy.isCleartextTrafficPermitted()}.

<p>NOTE: {@link android.webkit.WebView} does not honor this flag.

<p>During app development, StrictMode can be used to identify any cleartext traffic from the app: see

{@link android.os.StrictMode.VmPolicy.Builder#detectCleartextNetwork() StrictMode.VmPolicy.Builder.detectCleartextNetwork()}.