NetworkSecurityPolicy

Kotlin |Java

open class NetworkSecurityPolicy

kotlin.Any
↳	android.security.NetworkSecurityPolicy

Network security policy.

Network stacks/components should honor this policy to make it possible to centrally control the relevant aspects of network security behavior.

Summary

Constants
static Int	`DOMAIN_ENCRYPTION_MODE_DISABLED` Domain encryption is disabled for the app.
static Int	`DOMAIN_ENCRYPTION_MODE_ENABLED` Domain encryption is in fully enabled mode for the app.
static Int	`DOMAIN_ENCRYPTION_MODE_OPPORTUNISTIC` Domain encryption is in opportunistic mode for the app.
static Int	`DOMAIN_ENCRYPTION_MODE_UNKNOWN` Unknown setting for domain encryption in the app.

Public methods
open Int	`getDomainEncryptionMode(hostname: String)` Returns the domain encryption mode the app has chosen for the given `hostname`, including the setting for Encrypted Client Hello.
open static NetworkSecurityPolicy	`getInstance()` Gets the policy for this process.
open Boolean	`isCertificateTransparencyVerificationRequired(hostname: String)` Returns `true` if Certificate Transparency information is required to be verified by the client in TLS connections to `hostname`.
open Boolean	`isCleartextTrafficPermitted()` Returns whether cleartext network traffic (e.g. HTTP, FTP, WebSockets, XMPP, IMAP, SMTP -- without TLS or STARTTLS) is permitted for all network communication from this process.
open Boolean	`isCleartextTrafficPermitted(hostname: String?)` Returns whether cleartext network traffic (e.g. HTTP, FTP, XMPP, IMAP, SMTP -- without TLS or STARTTLS) is permitted for communicating with

Constants

DOMAIN_ENCRYPTION_MODE_DISABLED

Added in API level 23

static val DOMAIN_ENCRYPTION_MODE_DISABLED: Int

Domain encryption is disabled for the app. ECH and GREASE should not be used.

Value: 1

DOMAIN_ENCRYPTION_MODE_ENABLED

Added in API level 23

static val DOMAIN_ENCRYPTION_MODE_ENABLED: Int

Domain encryption is in fully enabled mode for the app. ECH will be enabled when there is server support, otherwise GREASE will be used.

Value: 3

DOMAIN_ENCRYPTION_MODE_OPPORTUNISTIC

Added in API level 23

static val DOMAIN_ENCRYPTION_MODE_OPPORTUNISTIC: Int

Domain encryption is in opportunistic mode for the app. ECH will only be enabled when there is server support, and GREASE will not be used.

Value: 2

DOMAIN_ENCRYPTION_MODE_UNKNOWN

Added in API level 23

static val DOMAIN_ENCRYPTION_MODE_UNKNOWN: Int

Unknown setting for domain encryption in the app.

This is the default value returned by getDomainEncryptionMode(String) when not overridden. Network libraries should avoid performing any domain encryption and perform a standard TLS handshake, equivalent to DOMAIN_ENCRYPTION_MODE_DISABLED.

Value: 0

Public methods

getDomainEncryptionMode

Added in API level 23

open fun getDomainEncryptionMode(hostname: String): Int

Returns the domain encryption mode the app has chosen for the given hostname, including the setting for Encrypted Client Hello.

Parameters
`hostname`	String: hostname to check what domain encryption mode has been chosen by the app. This value cannot be `null`.

Return
`Int`	int representing the domain encryption mode. Value is one of the following: `DOMAIN_ENCRYPTION_MODE_UNKNOWN` `DOMAIN_ENCRYPTION_MODE_DISABLED` `DOMAIN_ENCRYPTION_MODE_OPPORTUNISTIC` `DOMAIN_ENCRYPTION_MODE_ENABLED`

getInstance

Added in API level 23

open static fun getInstance(): NetworkSecurityPolicy

Gets the policy for this process.

It's fine to cache this reference. Any changes to the policy will be immediately visible through the reference.

Return
`NetworkSecurityPolicy`	This value cannot be `null`.

isCertificateTransparencyVerificationRequired

Added in API level 36

open fun isCertificateTransparencyVerificationRequired(hostname: String): Boolean

Returns true if Certificate Transparency information is required to be verified by the client in TLS connections to hostname.

See RFC6962 section 3.3 for more details.

Parameters
`hostname`	String: hostname to check whether certificate transparency verification is required. This value cannot be `null`.

Return
`Boolean`	`true` if certificate transparency verification is required and `false` otherwise

isCleartextTrafficPermitted

Added in API level 23

open fun isCleartextTrafficPermitted(): Boolean

Returns whether cleartext network traffic (e.g. HTTP, FTP, WebSockets, XMPP, IMAP, SMTP -- without TLS or STARTTLS) is permitted for all network communication from this process.

When cleartext network traffic is not permitted, the platform's components (e.g. HTTP and FTP stacks, android.app.DownloadManager, android.media.MediaPlayer) will refuse this process's requests to use cleartext traffic. Third-party libraries are strongly encouraged to honor this setting as well.

This flag is honored on a best effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them. For example, there's no expectation that the java.net.Socket API will honor this flag because it cannot determine whether its traffic is in cleartext. However, most network traffic from applications is handled by higher-level network stacks/components which can honor this aspect of the policy.

NOTE: android.webkit.WebView honors this flag for applications targeting API level 26 and up.

isCleartextTrafficPermitted

Added in API level 24

open fun isCleartextTrafficPermitted(hostname: String?): Boolean

Returns whether cleartext network traffic (e.g. HTTP, FTP, XMPP, IMAP, SMTP -- without TLS or STARTTLS) is permitted for communicating with hostname for this process.

Parameters
`hostname`	String?: This value may be `null`.

See Also

#isCleartextTrafficPermitted()