Network security config for range of ip addresses?

Question

In Android P, cleartext communication is disabled by default. Instead, there are two options:

• One needs to explicitly declare that cleartext communication is allowed in the manifest file with
• Or needs to declare the allowed domains that allow cleartext communication via a network security config.

My question has to do with the second approach. I can whitelist a specific ip address like this in network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">192.168.1.1</domain>
    </domain-config>
</network-security-config>

However, I would like to whitelist all private ip addresses. I had a few trial-and-error cases but I wasn't able to make it work.

In essence, is there an option given to define a range of ip addresses in the network security config?

Answer 1

For getting the IP of your machine, there is a solution

This is my network config file at res/xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">
            <!-- YOUR LOCAL IP -->
        </domain>
    </domain-config>
</network-security-config>

This is the code at my gradle:

static def getLocalIP() {
    def ip4s = []
    NetworkInterface.getNetworkInterfaces()
        .findAll { it.isUp() && !it.isLoopback() && !it.isVirtual() }
        .each {
            if (it.name.startsWith("wlan")) {
                it.getInetAddresses()
                    .findAll { !it.isLoopbackAddress() && it instanceof Inet4Address }
                    .each { ip4s << it }
            }
        }
    return ip4s.first().toString().substring(1)
}

task ipNetwork(type: Copy) {
    from ('src/main/res/xml/network_security_config.xml')
    into ('src/debug/res/xml')
    filter {
        String line -> line.replaceAll("<!-- YOUR LOCAL IP -->", getLocalIP())
    }
}

This changes just the debug file, so it's useful to point your debug app to local machine. The script could be adapted to generate a bunch of domain tags to each variation of IP. This was my first thought, add a domain for every 192.168.., but it would result in a file with 65536 domains, it seems a little bit awful