• State Not Answered
  • Replies 35 replies
  • Subscribers 15 subscribers
  • Views 7396 views
  • Users 0 members are here
Options
Related

Possible workarounds for APIs which support only HTTP

Former Member
Former Member over 5 years ago

Hi All

Understand that makeWebRequest supports only HTTPS and not HTTP.
However, the API I need to access uses only HTTP at this point of time.

Could any kind soul share the possible workarounds?

So far, I am looking into either setting up a Apache server to act as a proxy or using a companion application (Android / iOS) to workaround this. Both seems to be an awful lot of work for a simple application thus trying to find a simpler way.

Thanks!

  • 0 over 5 years ago in reply to jim_m_58

    I agree with dpawlyk, it's unfortunate that ios behaves in a different way than Android, Android shouldn't be more strict.

  • 0 over 5 years ago in reply to jim_m_58

    Sort of remember that thread. It appears the only reason was due to a change to Android 9/P/Pie.

    It's been awhile since I tried this on Android.

    I'm now running Pie from LineageOS.

    What doesn't make sense is that Android controllers for TVs and Amazon Fire Sticks work fine. Those aren't using https (AFAIK). I did nothing special to get them to work. So, these apps have presumably set the following for themselves:

    <application
...
android:usesCleartextTraffic="true"
...>
  • 0 over 5 years ago in reply to dpawlyk

    Garmin could allow clear text for the standard local IP addresses. So, it's not "by design". It's by choice.

    It's not a problem for a TV remote app to have this restriction because it can't be used in a general way.

    GCM is quite different since it needs to provide flexibility for IQ developers. It's more like a browser than an app that does one thing.

    No one really uses certificates for local networks. It's an unreasonable cost and burden to require developers to also have to write and maintain an android app to provide a basic function.

    Oddly, it appears Garmin allows clear text to Garmin domains.

  • 0 over 5 years ago in reply to dpawlyk

    This has all been discussed in the thread I linked to and Garmin made a decision.

  • 0 over 5 years ago in reply to jim_m_58

    I don't get your response here. Given your comments on that thread, it's odd that you keep trying to shut down discussion of it.

    Garmin's response in that thread wasn't satisfactory at all.

    Your "by design" suggests they had a good reason to make the choice the did.

    They didn't mention any reason to make https a requirement for local networks. From that thread, it's just something they didn't think of at all. They blame Android but Android isn't forcing them to do it (so, there's some dissembling too). 

    If they are really using clear text to connect to Garmin, that would be really bad (and completely unnecessary too).

    The decision was a poor one and isn't something Garmin can't make another decision to fix.

    Given how awful it was, it's worth some effort not to treat it as fate and encourage them to reconsider it.

    (I was also the only person in this thread to suggest a workaround.)

  • 0 over 5 years ago in reply to dpawlyk

    If you want to re-open the topic, it might be best to post in the thread I linked to.

  • 0 over 5 years ago in reply to jim_m_58

    Given that you seemed to miss that I did that, it doesn't seem "best" at all. 

  • 0 over 5 years ago in reply to dpawlyk

    It's because it's not an issue for me.  There you might get Garmin's attention.

  • 0 over 5 years ago in reply to jim_m_58

    Huh?

    It's an issue for other people. 

    That thread hasn't seen any activity from anybody in two months. People from Garmin left it like 3 months ago.

  • 0 over 5 years ago in reply to dpawlyk

    So, the issue is that newer versions of Android have enabled https (encrypted) access by default but allow apps to override this to use http ("cleartext") access.

    App developers have lots of control over what they allow the override for.

    While it's reasonable to require https for public servers, it doesn't make sense for local (private) networks. No one really uses certificates for these and doing so creates other security problems.

    Every IoT app has to override https access. Garmin Connect Mobile is an IoT app that really has to do the same thing.

    Garmin should allow http (cleartext) access to local (private) networks for IQ apps. Given that it appears that Garmin allows cleartext access to their public sites (which makes no sense), they could allow it for private sites too.

    IQ developers writing apps that do home automation or IoT things either have broken apps or have the burden of writing extra Android apps.

    Cleartext access is allowed on iOS (for numeric IP addresses) but not on Android. That creates another problem where there's an inexplicable (to end users) difference in behavior.


    By blocking cleartext access to private networks, Garmin is doing a large disservice to the developers it wants to build IQ apps.