Florent Morin Florent Morin - 3 months ago 11
Java Question

HSTS or ATS equivalent for Android?

My iOS apps are secured with ATS to enforce security.
Websites are using HSTS.
What is the equivalent technology for Android?

Thanks. :-)

Answer

Android introduced similar functionality in API level 23. You can do this in the network_security_config.xml file. This is the example from the Android documentation:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">secure.example.com</domain>
    </domain-config>
</network-security-config>

Make sure you including your network_security_config.xml file in your application's manifest as specified at the beginning of the documentation, otherwise the file will be ignored.

Comments