Java.IO.IOException: 'Cleartext HTTP traffic to localhost not permitted' code example

Example 1: android manifest cleartext traffic permitted

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="true"
        ...>
        ...
    </application>
</manifest>

Example 2: android:usesCleartextTraffic="true"

<?xml version="1.0" encoding="utf-8"?><manifest ...>    <uses-permission android:name="android.permission.INTERNET" />    <application        ...        android:usesCleartextTraffic="true"        ...>        ...    </application></manifest>

Example 3: java.io.IOException: Cleartext HTTP traffic to api.openweathermap.org not permitted

2707

According to Network security configuration -

Starting with Android 9 (API level 28), cleartext support is disabled by default.

Also have a look at - https://koz.io/android-m-and-the-war-on-cleartext-traffic/

Codelabs explanation - https://codelabs.developers.google.com/codelabs/android-network-security-config/index.html

Option 1 -

First try hitting the URL with "https://" instead of "http://"

Option 2 -

Create file res/xml/network_security_config.xml -

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">api.example.com(to be adjusted)</domain>
    </domain-config>
</network-security-config>
AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:networkSecurityConfig="@xml/network_security_config"
        ...>
        ...
    </application>
</manifest>
Option 3 -

android:usesCleartextTraffic Doc

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="true"
        ...>
        ...
    </application>
</manifest>
Also as @david.s' answer pointed out android:targetSandboxVersion can be a problem too -

According to Manifest Docs -

android:targetSandboxVersion

The target sandbox for this app to use. The higher the sandbox version number, the higher the level of security. Its default value is 1; you can also set it to 2. Setting this attribute to 2 switches the app to a different SELinux sandbox. The following restrictions apply to a level 2 sandbox:

The default value of usesCleartextTraffic in the Network Security Config is false.
Uid sharing is not permitted.
So Option 4 -

If you have android:targetSandboxVersion in <manifest> then reduce it to 1

AndroidManifest.xml -

<?xml version="1.0" encoding="utf-8"?>
<manifest android:targetSandboxVersion="1">
    <uses-permission android:name="android.permission.INTERNET" />
    ...
</manifest>