1 /**
2  * Copyright (c) 2015, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security;
18 
19 import android.annotation.TestApi;
20 import android.content.Context;
21 import android.content.pm.PackageManager;
22 import android.security.net.config.ApplicationConfig;
23 import android.security.net.config.ManifestConfigSource;
24 
25 /**
26  * Network security policy.
27  *
28  * <p>Network stacks/components should honor this policy to make it possible to centrally control
29  * the relevant aspects of network security behavior.
30  *
31  * <p>The policy currently consists of a single flag: whether cleartext network traffic is
32  * permitted. See {@link #isCleartextTrafficPermitted()}.
33  */
34 public class NetworkSecurityPolicy {
35 
36     private static final NetworkSecurityPolicy INSTANCE = new NetworkSecurityPolicy();
37 
NetworkSecurityPolicy()38     private NetworkSecurityPolicy() {}
39 
40     /**
41      * Gets the policy for this process.
42      *
43      * <p>It's fine to cache this reference. Any changes to the policy will be immediately visible
44      * through the reference.
45      */
getInstance()46     public static NetworkSecurityPolicy getInstance() {
47         return INSTANCE;
48     }
49 
50     /**
51      * Returns whether cleartext network traffic (e.g. HTTP, FTP, WebSockets, XMPP, IMAP, SMTP --
52      * without TLS or STARTTLS) is permitted for all network communication from this process.
53      *
54      * <p>When cleartext network traffic is not permitted, the platform's components (e.g. HTTP and
55      * FTP stacks, {@link android.app.DownloadManager}, {@link android.media.MediaPlayer}) will
56      * refuse this process's requests to use cleartext traffic. Third-party libraries are strongly
57      * encouraged to honor this setting as well.
58      *
59      * <p>This flag is honored on a best effort basis because it's impossible to prevent all
60      * cleartext traffic from Android applications given the level of access provided to them. For
61      * example, there's no expectation that the {@link java.net.Socket} API will honor this flag
62      * because it cannot determine whether its traffic is in cleartext. However, most network
63      * traffic from applications is handled by higher-level network stacks/components which can
64      * honor this aspect of the policy.
65      *
66      * <p>NOTE: {@link android.webkit.WebView} does not honor this flag.
67      */
isCleartextTrafficPermitted()68     public boolean isCleartextTrafficPermitted() {
69         return libcore.net.NetworkSecurityPolicy.getInstance().isCleartextTrafficPermitted();
70     }
71 
72     /**
73      * Returns whether cleartext network traffic (e.g. HTTP, FTP, XMPP, IMAP, SMTP -- without
74      * TLS or STARTTLS) is permitted for communicating with {@code hostname} for this process.
75      *
76      * @see #isCleartextTrafficPermitted()
77      */
isCleartextTrafficPermitted(String hostname)78     public boolean isCleartextTrafficPermitted(String hostname) {
79         return libcore.net.NetworkSecurityPolicy.getInstance()
80                 .isCleartextTrafficPermitted(hostname);
81     }
82 
83     /**
84      * Sets whether cleartext network traffic is permitted for this process.
85      *
86      * <p>This method is used by the platform early on in the application's initialization to set
87      * the policy.
88      *
89      * @hide
90      */
setCleartextTrafficPermitted(boolean permitted)91     public void setCleartextTrafficPermitted(boolean permitted) {
92         FrameworkNetworkSecurityPolicy policy = new FrameworkNetworkSecurityPolicy(permitted);
93         libcore.net.NetworkSecurityPolicy.setInstance(policy);
94     }
95 
96     /**
97      * Handle an update to the system or user certificate stores.
98      * @hide
99      */
handleTrustStorageUpdate()100     public void handleTrustStorageUpdate() {
101         ApplicationConfig config = ApplicationConfig.getDefaultInstance();
102         if (config != null) {
103             config.handleTrustStorageUpdate();
104         }
105     }
106 
107     /**
108      * Returns an {@link ApplicationConfig} based on the configuration for {@code packageName}.
109      *
110      * @hide
111      */
getApplicationConfigForPackage(Context context, String packageName)112     public static ApplicationConfig getApplicationConfigForPackage(Context context,
113             String packageName) throws PackageManager.NameNotFoundException {
114         Context appContext = context.createPackageContext(packageName, 0);
115         ManifestConfigSource source = new ManifestConfigSource(appContext);
116         return new ApplicationConfig(source);
117     }
118 }
119