Android app v0.2.11 not able to make unencrypted connections

[ghost]

The moment the spark-wallet App on my android (version 9) phone updated to version 0.2.11, it was no longer able to connect to my server. Spark-wallet still worked in a browser. I went back to spark-wallet App version 0.2.9 and everything is working again. This has nothing to do with the latest version of c-lightning (0.8.0) which only requires one to run spark-wallet with --ln-path ~/.lightning/bitcoin on the server.

See also this closed issue

[shesek]

Thanks for the report. I can't seem to reproduce this on my android, but I'll give this a try with a few more devices and report back.

Are you connecting via http, https or onion?

I recently updated the android sdk target version from 27 to 28, perhaps this affected something? The v0.2.11 apk published on github releases should be identical to the one on the Play Store, except for still targeting sdk version 27 and not 28. Could you give this a try?

Also, I'm wondering if it might related to this by any chance? (though, this would get your server connection details forgotten, but shouldn't prevent it from working if you re-fill them)

[ghost]

I run spark-wallet with --no-tls (it never worked without it) and in the App I connect via http://myIP:9737 plus the access key. I installed the v0.2.11 apk but that didn't help, still getting Error Connection to server lost.

Also, I'm wondering if it might related to this by any chance?

I get: Sorry, this page doesn't exist! Oh with wit -> with in the link it exists

I installed v0.2.10 instead of v0.2.9 and that one also works.

By the way: I changed exchange-rate.js in directory: /home/user/.npm-global/lib/node_modules/spark-wallet/dist from dollar to euro like this: https://www.bitstamp.net/api/v2/ticker/btcusd -> https://www.bitstamp.net/api/v2/ticker/btceur and now I see everything displayed in euro, although in the App I have to read usd as unit standard dutch = euro :-)

[shesek]

You definitely shouldn't be connecting over the public internet without using TLS or onion... :scream: Have you tried setting up an hidden service with --onion?

It appears like the issue definitely is related to targeting android sdk version 28. From "An Update on Android TLS Adoption":

To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. ... any use of unencrypted connections is the result of an explicit choice by the developer.

Looks like allowing unencrypted traffic now requires setting some explicit network security configurations. I'll look into doing this with the Cordova build process that spark uses.

[shesek]

Looks like this should do the trick: https://stackoverflow.com/a/56715421/865693

[ghost]

You definitely shouldn't be connecting over the public internet without using TLS

Well, this issue is still open.

Have you tried setting up an hidden service with --onion?

As far as I understand it, I then need to run tor on my phone. That's a bit too much.

[shesek]

Setting up Orbot on Android isn't too bad, I've been using it for quite some time on my device.

If you don't want to use Orbot and can't get the built-in TLS to work (I'm not sure why it doesn't for some people and wasn't able to reproduce this), I would still advise to look into some other solution for encryption - an nginx reverse proxy in front of the spark web server, ssh tunnel, vpn, or something similar.

Even though I don't recommend this, I'm working on a solution to allow making unencrypted connections. At the very least, its useful for development and testnet/regtest demonstrations. Will hopefully have something ready soon.

[k3tan172]

Glad we've figured out the issue. Without the --no-tls flag, spark-wallet never worked for me either. I've connected over tor previously, it works, but as @sumBTC is saying, not keen on firing up orbot to access spark-wallet. My preferred method of access is through VPN.

[shesek]

Reopening until @sumBTC / @k3tan172 confirms this works (will shortly be released as v0.2.12).

[shesek]

I released v0.2.12, should shortly become available in the Play Store. @sumBTC @k3tan172 can you give this a go?

[ghost]

Yes, v0.2.12 works again with --no-tls (but not without it). I installed it from the apk, not the Play Store. Well done and thanks!

[k3tan172]

Can confirm, we're good here. Thanks for your help!

[shesek]

Great! Thank you for confirming.

I do still recommend you to look into setting up something else to take care of encryption. You can try following the instructions here to setup nginx as a reverse proxy with tls. If you're running into trouble, feel free to ping me on freenode (same nick) and I'll gladly help.