I am running security checks in my app. I don’t want any developers to run http API from the app. The docs says HTTP is disabled by default in Android and iOS. But, my the app works fine with HTTP anyway. Any idea what maybe the issue
Sample project:
Without trying your code, did you try to use cronet_http and Cupertino_http instead the normal Dart ones? They definitely don’t allow http calls.
You can’t, everybody can import dart:io and make an HttpClient and you can’t really prevent that from happening.
@mraleph but doesn’t android block http calls unless you add opt into clear text calls?
May @Harish should explain what he means by preventing such calls. Are we talking of an app or a package here?
I don’t think Android settings like usesCleartextTraffic affect raw network APIs which dart:io uses. There was an attempt to make Dart’s networking stack respect these settings as well, but for various it was rolled back.
Do you know when this happened? Flutter definitely used to respect this.
I always had to add the clear text / arbitrary loads (Android, iOS respectively), but just tried a new project (latest flutter stable, 3.24.5) and it indeed allows http:// requests.
Note: I just tested with a new SwiftUI app that accesses the same http:// site, and that fails as expected with “The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.”
I also wonder about the review process - will (eg Apple) allow the app without the arbitrary loads disabled in the Info.plist?
If this is now the case, Flutter / Dart should have made a big splash announcing it, due to the security risks associated.
Do you have any solution or workaround for this?
Exactly, Before the restriction was there. Suddenly it’s not
What exactly do you want to prevent in your app? Or don’t you have control oder the URLs?
And as said if you use cronet_http and Cupertino_http it’s definitely blocked
I don’t want any HTTP calls from my app. This app is a banking one and even if someone accidentally (supply chain attack) adds a HTTP API it should not work. I’ll try the method you have suggested and update here.
True, but for people who continue use the http package, as this seems to be a change in Dart, Flutter / Dart should have made a big splash announcing the change, due to the security risks associated.
Also, will the apps pass scrutiny (eg for Apple without the Info.plist arbitrary loads disabled entry).
See the bug which linked from the same breaking change announcement you have linked. This happened ~3 years ago, got released in Flutter 2.0 and reverted in 2.2 (IIUC). So restriction was only really supported briefly for 2 stable releases (which means it was there for ~6-8 months). Outside of this time frame these restrictions were never respected.
I don’t think there are any real security risks here. If you are concerned about accidentally making request over HTTP instead of HTTPS - then funnel all your networking through a single helper and put a check there.
No, all fine. I’ve always only used https://. Just surprised there wasn’t more “noise” about this change.
It's All Widgets! • Flutter Pro • FlutterX • Flutter Streams • Flutter Podcast
Supported by Invoice Ninja - Free Invoicing Software for Small Business [ Demo | Package | Code | Apps ]
Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.
Using contents of this forum for the purposes of training proprietary AI models is forbidden. Only if your AI model is free & open source, go ahead and scrape.