1

I need your take on this. The target SDKs of my android app are android:minSdkVersion="28" and android:targetSdkVersion="35". Is it okay if I won't create Network Security Configuration since I am targeting SDKs >28 and <35?

Are there security concerns for this if I ignore creating the network_security_config.xml?

I did not include network_security_config.xml in my Android Application.

Improve this question

1 Answer 1

Reset to default
0

No, you don't need to add it. Omitting the file is the most secure option.

Since your app targets API 28+, Android automatically blocks all insecure cleartext (http://) traffic by default. This is a crucial security feature.

You only need to create a network_security_config.xml file if you need to create an exception to this secure default, such as:

  • Allowing http:// traffic to a specific legacy domain (discouraged).
  • Trusting custom certificates for debugging.
  • Implementing certificate pinning.

For standard apps that only communicate over https://, doing nothing is the best practice.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Got it. Thank you for explaining it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.