Complete
over 5 years ago

Garmin Connect Mobile 4.22 for Android includes the changes to allow HTTP on 127.0.0.1.

Connect version 4.20 broke local http access?

Getting several reports of functionality no longer working, it looks like Android Garmin connect app version 4.20 may have broken web request to local host via urls like http://127.0.0.1:17580/sgv.json?count=3

Horsetooth
Parents
  • over 5 years ago in reply to Brandon.ConnectIQ

    tx for the update, but to be honest i am dissapointed by the lack of progress. I already provided the solution in this thread. Did you test this? What was the outcome? 

    Furthermore: I decompiled the latest APK and i found out there already is alread a network security xml in the APK:

    <?xml version="1.0" encoding="UTF-8"?>
    -<network-security-config>

    -<debug-overrides>

    -<trust-anchors>
    <certificates src="user"/>
    </trust-anchors>
    </debug-overrides>

    -<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">garmin.com</domain>
    <domain includeSubdomains="true">garmin.cn</domain>
    <domain includeSubdomains="true">garmincdn.com</domain>
    </domain-config>
    </network-security-config>
    So current behaviour in the latest APK is that clear HTTP traffic is already allowed to garmin.com, garmin.cn and garmincdn.com (which i find worrying btw: Why is there a a need to use plain http to the garmin.com, but thats another topic). So why not fully allow plain http, like the solution i provided above?
    Please do not give a process answer (like we are discussing, we working on it, we created a ticket, etc... ), but a specific answer on the questions i ask.
Comment
  • over 5 years ago in reply to Brandon.ConnectIQ

    tx for the update, but to be honest i am dissapointed by the lack of progress. I already provided the solution in this thread. Did you test this? What was the outcome? 

    Furthermore: I decompiled the latest APK and i found out there already is alread a network security xml in the APK:

    <?xml version="1.0" encoding="UTF-8"?>
    -<network-security-config>

    -<debug-overrides>

    -<trust-anchors>
    <certificates src="user"/>
    </trust-anchors>
    </debug-overrides>

    -<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">garmin.com</domain>
    <domain includeSubdomains="true">garmin.cn</domain>
    <domain includeSubdomains="true">garmincdn.com</domain>
    </domain-config>
    </network-security-config>
    So current behaviour in the latest APK is that clear HTTP traffic is already allowed to garmin.com, garmin.cn and garmincdn.com (which i find worrying btw: Why is there a a need to use plain http to the garmin.com, but thats another topic). So why not fully allow plain http, like the solution i provided above?
    Please do not give a process answer (like we are discussing, we working on it, we created a ticket, etc... ), but a specific answer on the questions i ask.
Children
  • over 5 years ago in reply to marccardinal

    Someone I know confirmed that adding `<base-config cleartextTrafficPermitted="true">` to the application brought it back to the old behavior.

  • over 5 years ago in reply to akamming

    Indeed the only thing that the document really says is:

    Starting with Android 9 (API level 28), cleartext support is disabled by default.

    But that is all... if the application's use-case requires cleartext (non TSL, regular HTTP) then its up to the developer of the application to set the proper configuration flags. The statement is very neutral and doesn't say that it is a bad thing to do or that the application will have a bad rep on the play store. I think we already outlined that there are many valid use-cases to allow non TSL traffic, what are the next steps ? Do we need to ask our users to downvote the GCM? Is there a manager this can be escalated to?

    Regards

  • over 5 years ago in reply to usrusr

    i agree  with you: The GCM team apparently already fixed for their own use cases (the exeptions for the garmin domains in the network security xml file), so they should just apply the simple fix i already provided. (and tested on an android sample app). 

  • over 5 years ago in reply to marccardinal

    then you would only add localhost. Above  i already described how you can fix all use cases: Change te contents of the network security xml file to

    <?xml version="1.0" encoding="utf-8"?>
    <network-security-config>
    <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
    <certificates src="system" />
    </trust-anchors>
    </base-config>
    </network-security-config>

    The statement that http is no longer allowed as of SDK 28, which is made quite often in this thread is false. The only thing which was changed is that in default it is no longer allowed, but this default can be overuled wth the <base-config cleartextTrafficPermitted="true"> statement in the security config xml file. 

    This is not a dirty fix: It is documented and supported by google: https://developer.android.com/training/articles/security-config.html

  • over 5 years ago in reply to marccardinal

    That should be it, literally. The whole situation is a bit absurd, I suspect that it is one of those organizational nightmare things where one group within the team fully understands the problem and the fix, but all decisions like that are strictly limited to another group that won't ever understand (but will fight type and nail to protect the decisionmaking privilege).

    My GCM is on "ignore updates" until further notice (I can't think of a single feature that an update would bring that would be more valuable than what I get from cIQ localhost connectivity), my usual praise for Garmin is considerably muted.