The android:usesCleartextTraffic attribute in the Android manifest must not be "true". This check may move to manual review in the future.
We have had multiple developers ask about this requirement since they find it conflicting with their needs. Notably, the Play Store does not do this sort of check. Moreover, the check is not fully implemented because it doesn't take network security configs into account, meaning it's bypassable. Finally, it's not truly enforceable anyway since the operating system can't reliably determine whether traffic is cleartext or not.
We should at a minimum:
[ ] Update the policy documentation to remove the current statement about usesCleartextTraffic
[x] Remove any corresponding checks from the developer console
However, because usesCleartextTraffic can be a useful security indicator, we may also want to notify developers in the developer console when their app allows cleartext traffic through either the app manifest or network security config
The documentation currently states:
We have had multiple developers ask about this requirement since they find it conflicting with their needs. Notably, the Play Store does not do this sort of check. Moreover, the check is not fully implemented because it doesn't take network security configs into account, meaning it's bypassable. Finally, it's not truly enforceable anyway since the operating system can't reliably determine whether traffic is cleartext or not.
We should at a minimum:
usesCleartextTrafficHowever, because usesCleartextTraffic can be a useful security indicator, we may also want to notify developers in the developer console when their app allows cleartext traffic through either the app manifest or network security config