The following security message from Google Play may be received in your Developers Console regarding a pre-launch report after uploading an APK file.
Your app accepts user certificates when verifying secure connections. Detected in APK 30
Your app's Network Security Configuration allows the use of user-specified certificates. This could allow eavesdroppers to intercept data sent by your app, or modify data in transit.
Cleartext traffic allowed for all domains. Detected in APK 2005, 2004, 2003
Your app's Network Security Configuration allows cleartext traffic for all domains. This could allow eavesdroppers to intercept data sent by your app. If that data is sensitive or user-identifiable, it could impact the privacy of your users.
When developers upload their Android app's APK file to the Google Play Store, a pre-launch report gets generated by test devices that automatically analyze the app. If insecure network communication is detected, the pre-launch report will warn the developer. After tests are complete, your results will be available in the Pre-launch report section of your Google Play Console.
This article explains the purpose of the message received and any actions to be taken when support receives tickets related to this.
Google has announced that as of October 2019, 80% of all Android apps are now using Transport Layer Security (TLS) to encrypt their network traffic. Starting with Android 7 in 2016, Google introduced the Network Security Configuration file, which allows app developers to opt-out of using cleartext when performing network communication. In Android 9, released in 2018, Google took it a step further and made it so that any apps targeting Android 9 or higher would automatically use a default policy that prevents apps from using unencrypted traffic.
- This issue has been escalated to our Engineering team as it would require changes to the code.
- There is no direct change that support or customers can make to avoid this message.
- This message has been received due to Google's increase in security.
- The system is designed to send important data over HTTPS, but for some images and styles, we use HTTP, so there is nothing to worry about.
Please be assured that our Engineering team will perform all the necessary actions in our source code to comply with Google's terms before any deadline when provided.