search

AppLovin / AppLovin-MAX-SDK-Android

Other
223 stars 99 forks source link

StrictMode CleartextNetworkViolation due to SSL error (?) #581

Open JayShortway opened 10 months ago

JayShortway commented 10 months ago

MAX SDK Version

11.11.3

Device/Platform Info

Observed on Android 12 (Pixel 3)

Current Behavior

Some time after initializing AppLovin, it attempts to connect to 34.102.162.219 and 34.117.147.68, both of which trigger a CleartextNetworkViolation from Android's [StrictMode](https://developer.android.com/reference/android/os/StrictMode.VmPolicy.Builder#detectCleartextNetwork()). Stack traces are below, but they're not very informative.

A PTR lookup gives:

Both of these hosts have AppLovin SSL certificates, but they're invalid according to Chrome (NET::ERR_CERT_COMMON_NAME_INVALID.)

If this is indeed an SSL error, I suspect the fix is not on the Android side :)

Here are the stack traces:

FATAL EXCEPTION: pool-20-thread-1
Process: com.example.app, PID: 23735
android.os.strictmode.CleartextNetworkViolation: Detected cleartext network traffic from UID 10323 to /34.102.162.219
<Hex dump of packet>
    at android.os.StrictMode.onCleartextNetworkDetected(StrictMode.java:2246)
    at android.app.ActivityThread$ApplicationThread.notifyCleartextNetwork(ActivityThread.java:1764)
    at android.app.IApplicationThread$Stub.onTransact(IApplicationThread.java:1202)
    at android.os.Binder.execTransactInternal(Binder.java:1184)
    at android.os.Binder.execTransact(Binder.java:1143)
FATAL EXCEPTION: pool-20-thread-2
Process: com.example.app, PID: 23735
android.os.strictmode.CleartextNetworkViolation: Detected cleartext network traffic from UID 10323 to /34.117.147.68
<Hex dump of packet>
    at android.os.StrictMode.onCleartextNetworkDetected(StrictMode.java:2246)
    at android.app.ActivityThread$ApplicationThread.notifyCleartextNetwork(ActivityThread.java:1764)
    at android.app.IApplicationThread$Stub.onTransact(IApplicationThread.java:1202)
    at android.os.Binder.execTransactInternal(Binder.java:1184)
    at android.os.Binder.execTransact(Binder.java:1143)

Expected Behavior

The AppLovin SDK should use properly configured SSL connections to its backend, thereby avoiding any CleartextNetworkViolations.

How to Reproduce

  1. Insert the following code, before initializing AppLovin, e.g. in Application.onCreate(): 
    StrictMode.setVmPolicy(
StrictMode.VmPolicy.Builder()
    .detectCleartextNetwork()
    .penaltyDeath()
    .build()
)
  2. Launch the app, and wait a bit. Usually happens within the first minute. There's no need to interact with the app.
  3. Observe the crash in logcat.

Note: it seems to be more consistently reproducible on a fresh install.

Additional Info

No response