net::err_cleartext_not_permitted What is it?

It is a common interruption, Net::err_cleartext_not_permitted is caused when you are trying to access the unsecured URLs online. This action is initiated by the Android Webview, We will learn about it as we move forward in this article. Android is the leading mobile operating ecosystem, which occupies almost 87% of the market share. Due to this, the Android applications reach a wider audience, as the reach grows there are some disadvantages associated with it. This exposes the people using the Android to too many cyber attacks, resulting in more secure software to survive in the environment. This is where the Android web view and its protocols come into the picture to make the online ecosystem safer for its users.

What is Android WebView?

Android Webview is a system component powered by Chrome that allows Android apps to display web content using the links. This is an exclusive software included in the Android to display the content on the links from inside the native applications. The biggest advantage of this software is it opens a temporary web browser to show the content of the link without leaving the app. The cleartext error is a security measure taken by Android to stop the users from making their devices vulnerable to external software or malware. All these protocols only make the user stay away from peculiar websites or links.

WebView is a fascinating component that helps the developers to include functional content into the applications, it is an integral tool in the Android Application development tool. If you are facing any problem while accessing the weblinks in the third-party application try updating the phone software along with the application software. This could be one of the disadvantages since users experience major problems when they have tried to update the webView software.

This is an in-app error, which means we can access the same URLs on Chrome, Edge, Safari, or any other dedicated browser. Whenever you are trying to access these unsecured URLs, you are directed towards a page displaying the same with the additional information that the page is not available. With the help of the article and my knowledge regarding this topic, let us know why net::err_cleartext_not_permitted happens and what you can do to fix this issue.

net::err_cleartext_not_permitted What is it
net::err_cleartext_not_permitted What is it

Why does net::err_cleartext_not_permitted error occur?

To get into the details of how to fix this issue, let us try to know what is cleartext and how it is responsible for blocking the unsecured URLs. Cleartext is a piece of unencrypted information or meant to be encrypted data. Any such data that is being transmitted over the unsecured URL is known as cleartext. This means the information can be eavesdropped on or tampered with by a third party to enter our systems. In some cases, these attacks can even get access to your personal information. Such third-party interruptions can be harmful since they are accessed through the apps, which contain our personal and basic information starting from the permissions to our gallery, location, and details.

To avoid such unwanted cases of cyber attacks on the devices, starting from the Android version 9 (API level 28), Google has decided to interrupt the unsecured or cleartext in the Webview. So if any user is trying to access the unsecured URLs that are not HTTPS secured, the WebView will raise the net::err_cleartext_not_permitted error. There are some ways in which we can fix this issue. Let us try some methods to rectify this issue.

See also - easy to understand guide.

Fix the net::err_cleartext_not_permitted?

There are many tested ways to remove this error, we will try to do the most basic solution and then move on to the complex solutions.

1. Use the HTTPS URLs for all the endpoints

The easiest and proper solution for this problem is to use the HTTPS URLs, that is all secured links to all your endpoints so that it never occurs again. Any website with a valid SSL certificate is a secured one, that is it can be accessed using the HTTPS protocol.

Go to your code base and change the unsecured links to the secured ones. This action requires basic code knowledge and secured gateways to place the links in the codebase. This is the basic one, but we cannot convert all the HTTP links to HTTPS links, since it is not feasible to do so.

2. Edit AndroidManifest.xml

AndroidManifest.xml file is an inbuilt android file that contains all the crucial information regarding the application. Every application built for android will have this file, it contains all the details, activities, and services provided by the app to the users. This file also contains the information regarding the permissions for the protected parts of the app and the API declarations used in the app. Now to remove this error we need to edit the application subelement (within the code), all we need to add is a simple application tag.

Steps to edit/add the tag in the AndroidManifest.xml file:

  • The first step is to find the AndroidManifest.xml file in the application folder at: android/app/src/main/AndroidManifest.xml.
  • We now need to find the application subelement.
  • Add the tag: android:usesCleartextTraffic=”true” to the subelement.
  • Now apply the changes in the application by saving the file.

One thing you need to remember about this is, that it is a temporary fix, this action might compromise your data integrity due to the major vulnerability associated with the HTTP links of the cleartext.

Force HTTPS for WordPress Sites or HTML/PHP sites

The next two fixes involve forcing HTTPS onto either the WordPress or the HTML/PHP sites. Your website needs to have an SSL certificate to force the HTTPS onto its native app. We need to change some code and add tags to complete the process. So when you are developing an Android app for your company, you may anticipate overlapping of the URLs, since every click redirects the users to the website. So to rectify all those issues and allow the users to directly access the link, we need to force these protocols.

1. Force HTTPS for WordPress Sites

To force a WordPress site onto the HTTPS protocol, you have to edit the .htaccess file. This .htaccess is responsible for managing the redirects and permalinks on the app. Now let us see the steps you need to follow to make the changes in the file.

  • Login to your WordPress account using your credentials.
  • Now you are redirected to the WordPress dashboard.
  • Select the settings and navigate to the General section from the left-hand dashboard.
  • Now to check whether we can force the links to the HTTPS, locate the WordPress Address (URL) and Site Address (URL) to make sure these two URLs are HTTPS. 
  • The websites with a valid SSL certificate are considered to be accepting the HTTPS protocols.
  • To edit the WordPress files, you will have to access the file manager through FTP or cPanel. We can also edit the WordPress files using the plugins too.
  • Locate the .htaccess file within the root folder and open the file.
  • After opening, the code will be displayed on your screen, within this code locate the #BEGIN WordPress
  • This section of code until the #END WordPress contains all the WordPress rules, we need to edit these rules in order to rectify the error. Replace this code with the text given below to change the protocol rules.
# BEGIN WordPress 
<IfModule mod_rewrite.c> 
RewriteEngine On RewriteBase / 
RewriteRule ^index\.php$ – [L] # 

Rewrite HTTP to HTTPS 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$$1 [R=301,L] 

RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule. /index.php [L] 
# END WordPress
  • After identifying this section of code, replace the XXXX with your domain name. Do not rearrange the text above in any other way.
  • Save the changes after completing the process.
See also  Where does amazon music download?

2.Force HTTPS for HTML/PHP sites

  • Open the FTP or cPanel to access the root directory of your site on WordPress.
  • In FTP, you can right-click after opening the root directory and click on Create New File, creating a new file called .htaccess.
  • In cPanel, click on the + File button on the top of the screen to open a new file.
  • Open the newly created .htaccess file in the root directory and place the code suiting your web access.
  • If your site is listed on the WWW address, then add the code block given below into the .htaccess file:
RewriteEngine On  

RewriteCond %{HTTPS} !on 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\. [NC] 
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • If your website is listed on a non-WWW address, then copy and paste the below code into the new .htaccess file.
RewriteEngine On 
RewriteCond %{HTTPS} !on 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteCond %{HTTP_HOST} ^(www\.)(.+) [OR] 
RewriteCond %{HTTPS} off 
RewriteCond %{HTTP_HOST} ^(www\.)?(.+) 
RewriteRule ^ https://%2%{REQUEST_URI} [R=301,L]

If your site uses PHP you will have to update the PHP config site, site URL, and base URL variables to complete the process.

3. Edit network_security_config.xml

This fix is for the applications using Android version 7 or above. To change the network security configuration developers can access the network_security_config.xml file to modify the code to meet the application needs. Using this we provide access to the unsecured domains from the app. We need to include the required domain names that you wish to provide the access to users from the app, which runs on Unsecured URLs. Network Traffic using this edit will remove the occurrence of the error in the app. We can access the domains in the whitelist. Now let us see the ways to add the domain names to the whitelist.

  • Inside your Android application folder, add the network_security_config.xml file at the location: res/XML/
  • Add the following domain configuration text, you have to include your website address at the your_domain part.
<?XML version=”1.0″ encoding=”utf-8″?> 
<domain-config cleartextTrafficPermitted=”true”> 
<domain includeSubdomains=”true”></domain> </domain-config> </network-security-config>
  • Click on Save, to confirm the changes in the network_security_config.xml file.
  • Find the AndroidManifest.xml file in the root directory at: android/app/src/main/AndroidManifest.xml
  • Find the application subelement.
  • Add the following text to the network security confin=guration to add the path to the file:
android:name=”.DemoApp” android:networkSecurityConfig=”@xml/network_security_config”

net::err_cleartext_not_permitted Android Webview error solved

Android WebView is an excellent tool in the Android ecosystem to secure devices from malware attacks. This tool is hugely responsible for generating network traffic, ad revenue, and sales to the website. If this is not in usage, we will have to leave the application to access the website, which is time-consuming and also disrupts the use of the application.

See also  Why does my phone say no sim

You can follow the above-listed methods to solve the net::err_cleartext_not_permitted error, all you need to replace the codes exactly as they are, do not make any changes to the code. The forcing of HTTPS protocols is quite useful if you are in the field of application development, as they allow you to make changes to the network settings of the app.

Read Also: App keeps stopping android studio


Net::err_cleartext_not_permitted is a default Android webView error, when you are trying to access the unsecured URLs from the app, we can rectify the error by changing the unsecured URLs to the secured ones using the simple modifications in the AndroidManifest codes as mentioned above. These changes are enough to sort the issue, and will not cause any errors further. So make sure you do not change any of the code before replacing it in the app files.

If you found the article useful, do share it with your friends who are facing similar kinds of problems.


Do the code changes have any effect on the app functioning?

When you are trying to modify the code or rules, especially the network settings, you need to be careful. As far as the effect on the app functioning due to the change in the code is very negligible, if you are doing exactly as mentioned above you will not face any problem. But if you are modifying the code, there could be a problem only in the network settings. You might be vulnerable to abrupt shutdowns of the device, so be thorough when you are replacing the code in the android files.

Does accessing the URLs outside the app cause any problems?

Unsecured does not necessarily mean that they cause malware attacks, they are just unencrypted data. These kinds of links are easy to hack, so that is why Google’s Android WebView does not allow them to be accessed inside the app. However, you can open the links outside the app on any browser, but we cannot guarantee safety. You should know whether these links are trustable or not. Make sure you trust the website before opening them on the web, if they are not safe you will be warned on chrome also, that you will have to use the advanced settings to use such links. If you want to get into the details of these, please ask the website provider for the SSL certificate.

What is the difference between HTTP and HTTPS?

The biggest difference and the most important one is that HTTPS is the one with more safety protocols. These protocols are the simple rules one needs to follow in order to be relevant over the internet. Due to the vulnerability of the cyber attacks on HTTP websites, HTTPS was introduced to make the web space even more secure for users. HTTPS consists of an additional set of rules which will make sure you are suffering over the internet in a safer way.

Leave a Comment

error: Alert: Content is protected !!