Insecure connections are disabled by default on iOS and Android.

Summary

If your code tries to open an insecure socket to a host on iOS or Android, a SocketException is now thrown with the following message:

Insecure socket connections are disallowed by platform: <host>

Context

Starting with Android API 28 and iOS 9, these platforms disable insecure connections by default.

With this change Flutter also disables insecure connections on mobile platforms. Other platforms (desktop, web, etc) are not affected.

You can override this behavior by following the platform-specific guidelines to define a domain-specific network policy. See migration guide below for details.

Migration guide

On iOS, you can add NSExceptionDomains to your application’s Info.plist.

On Android, you can add a network security config XML. For Flutter to find your XML file, you need to also add a metadata entry to the <application> tag in your manifest. This metadata entry should carry the name: io.flutter.network-policy and should contain the resource identifier of the XML.

For instance, if you put your XML configuration under res/xml/network_security_config.xml, your manifest would contain:

<application ...>
  ...
  <meta-data android:name="io.flutter.network-policy"
             android:resource="@xml/network_security_config"/>
</application>

Furthermore:

  • Build time configuration is the only way to change network policy. It cannot be modified at runtime.
  • Localhost connections are always allowed.
  • You can allow insecure connections only to domains. Specific IP addresses are not accepted as input. This is in line with what platforms support.

Timeline

Landed in version: 1.22
In stable release: not yet

References

API documentation: There’s no API for this change since the modification to network policy is done via platform specific configuration as detailed above.

Relevant PRs: