Firewall Phase 1.2: Cleartext traffic denial
This is the app side for the cleartext traffic configuration.
Android already lets app developers select how their app deals with cleartext traffic, and so we want to avoid having a way to override that, i.e. allow cleartext when app developer has denied it.
However, we can always do the opposite, i.e. deny cleartext even when the app developer has asked it to be allowed (or it's simply an old app) - this wouldn't be the default, but there's no reason it can't be allowed.
Finally, some apps might need this - maybe the app is accessing a local server, or it's traffic is encrypted but not TLS which means it's cleartext as far as these rules are concerned (tor, vpn, etc) - so allowing exclusions is always useful.
We'd want a
- Global toggle, off by default, turning it on would block all cleartext traffic. This would need Private DNS enabled (DNS-over-TLS) to be enabled, so either set to a hostname or using one of ours (Cloudflare DNS). Automatic won't always work.
- Per-app toggle, but only for apps where:
if targetSdk < P if cleartextTrafficPermitted != false showToggle() else if cleartextTrafficPermitted == true showToggle()
This only shows the toggle for apps where cleartext traffic would have been allowed, and keeps blocking apps which had it blocked already without a way to change that.