search

AppLovin / AppLovin-MAX-SDK-Android

Other
232 stars 104 forks source link

StrictMode CleartextNetworkViolation due to SSL error (?) #581

Closed JayShortway closed 3 hours ago

JayShortway commented 12 months ago

MAX SDK Version

11.11.3

Device/Platform Info

Observed on Android 12 (Pixel 3)

Current Behavior

Some time after initializing AppLovin, it attempts to connect to 34.102.162.219 and 34.117.147.68, both of which trigger a CleartextNetworkViolation from Android's [StrictMode](https://developer.android.com/reference/android/os/StrictMode.VmPolicy.Builder#detectCleartextNetwork()). Stack traces are below, but they're not very informative.

A PTR lookup gives:

Both of these hosts have AppLovin SSL certificates, but they're invalid according to Chrome (NET::ERR_CERT_COMMON_NAME_INVALID.)

If this is indeed an SSL error, I suspect the fix is not on the Android side :)

Here are the stack traces:

FATAL EXCEPTION: pool-20-thread-1
Process: com.example.app, PID: 23735
android.os.strictmode.CleartextNetworkViolation: Detected cleartext network traffic from UID 10323 to /34.102.162.219
<Hex dump of packet>
    at android.os.StrictMode.onCleartextNetworkDetected(StrictMode.java:2246)
    at android.app.ActivityThread$ApplicationThread.notifyCleartextNetwork(ActivityThread.java:1764)
    at android.app.IApplicationThread$Stub.onTransact(IApplicationThread.java:1202)
    at android.os.Binder.execTransactInternal(Binder.java:1184)
    at android.os.Binder.execTransact(Binder.java:1143)
FATAL EXCEPTION: pool-20-thread-2
Process: com.example.app, PID: 23735
android.os.strictmode.CleartextNetworkViolation: Detected cleartext network traffic from UID 10323 to /34.117.147.68
<Hex dump of packet>
    at android.os.StrictMode.onCleartextNetworkDetected(StrictMode.java:2246)
    at android.app.ActivityThread$ApplicationThread.notifyCleartextNetwork(ActivityThread.java:1764)
    at android.app.IApplicationThread$Stub.onTransact(IApplicationThread.java:1202)
    at android.os.Binder.execTransactInternal(Binder.java:1184)
    at android.os.Binder.execTransact(Binder.java:1143)

Expected Behavior

The AppLovin SDK should use properly configured SSL connections to its backend, thereby avoiding any CleartextNetworkViolations.

How to Reproduce

  1. Insert the following code, before initializing AppLovin, e.g. in Application.onCreate(): 
    StrictMode.setVmPolicy(
StrictMode.VmPolicy.Builder()
    .detectCleartextNetwork()
    .penaltyDeath()
    .build()
)
  2. Launch the app, and wait a bit. Usually happens within the first minute. There's no need to interact with the app.
  3. Observe the crash in logcat.

Note: it seems to be more consistently reproducible on a fresh install.

Additional Info

No response

github-actions[bot] commented 6 days ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 3 hours ago

This issue was closed because it has been inactive for 5 days since being marked as stale.