Network security config for range of ip addresses?

Question

In Android P, cleartext communication is disabled by default. Instead, there are two options:

• One needs to explicitly declare that cleartext communication is allowed in the manifest file with
• Or needs to declare the allowed domains that allow cleartext communication via a network security config.

My question has to do with the second approach. I can whitelist a specific ip address like this in network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">192.168.1.1</domain>
    </domain-config>
</network-security-config>

However, I would like to whitelist all private ip addresses. I had a few trial-and-error cases but I wasn't able to make it work.

In essence, is there an option given to define a range of ip addresses in the network security config?

Answer 1

No, sorry.

In fact, I suspect that supporting <domain includeSubdomains="true">192.168.1.1</domain> is accidental and may not prove reliable over time, if they start to think that <domain> refers to actual domain names and not arbitrary host values, such as IP addresses.

Answer 2

For getting the IP of your machine, there is a solution

This is my network config file at res/xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">
            <!-- YOUR LOCAL IP -->
        </domain>
    </domain-config>
</network-security-config>

This is the code at my gradle:

static def getLocalIP() {
    def ip4s = []
    NetworkInterface.getNetworkInterfaces()
        .findAll { it.isUp() && !it.isLoopback() && !it.isVirtual() }
        .each {
            if (it.name.startsWith("wlan")) {
                it.getInetAddresses()
                    .findAll { !it.isLoopbackAddress() && it instanceof Inet4Address }
                    .each { ip4s << it }
            }
        }
    return ip4s.first().toString().substring(1)
}

task ipNetwork(type: Copy) {
    from ('src/main/res/xml/network_security_config.xml')
    into ('src/debug/res/xml')
    filter {
        String line -> line.replaceAll("<!-- YOUR LOCAL IP -->", getLocalIP())
    }
}

This changes just the debug file, so it's useful to point your debug app to local machine. The script could be adapted to generate a bunch of domain tags to each variation of IP. This was my first thought, add a domain for every 192.168.., but it would result in a file with 65536 domains, it seems a little bit awful

Answer 3

Thought you are looking for a way to allow specific range of IP addresses but that seems to be impossible to this time, you can allow all IP addresses and get rid of the error message by making this config:

config.xml

<platform name="android">
...
        <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application" xmlns:android="http://schemas.android.com/apk/res/android">
            <application android:networkSecurityConfig="@xml/network_security_config" />
        </edit-config>
        <resource-file src="resources/android/xml/network_security_config.xml" target="app/src/main/res/xml/network_security_config.xml" />
...
</platform>

resources/android/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true" />
</network-security-config>