Android APK refuses to make API calls if debuggable is false

Question

Our app has started hanging when making API calls despite not being updated in production for months. We can replicate the issue using the Play Store version of the app or by setting android:debuggable="false" in the AndroidManfiest.xml. However, if we then set android:usesCleartextTraffic="true" the issue goes away. If we make an action that makes an API call then leave the app for a couple of minutes, we see an "App isn't responding" message.

We also recently updated the certs for the servers the API calls are going to.

Is there any way to fix this issue or see what caused the application to become unresponsive? I've tried looking at the network/debugging tab, but that doesn't seem possible if debuggable is false.

AndroidManifest.xml:

<?xml version='1.0' encoding='utf-8'?>
<manifest android:hardwareAccelerated="true" android:versionCode="12345" android:versionName="3.32" package="foo.bar.foo.com.bar.preview" xmlns:android="http://schemas.android.com/apk/res/android">
    <supports-screens android:anyDensity="true" android:largeScreens="true" android:normalScreens="true" android:resizeable="true" android:smallScreens="true" android:xlargeScreens="true" />
    <uses-permission android:name="android.permission.INTERNET" />
    <application android:hardwareAccelerated="true" android:icon="@mipmap/icon" android:label="@string/app_name" android:supportsRtl="true">
        <activity android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale" android:label="@string/activity_name" android:launchMode="singleTop" android:name="MainActivity" android:screenOrientation="portrait" android:theme="@android:style/Theme.DeviceDefault.NoActionBar" android:windowSoftInputMode="adjustResize">
            <intent-filter android:label="@string/launcher_name">
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <provider android:authorities="${applicationId}.provider" android:exported="false" android:grantUriPermissions="true" android:name="de.appplant.cordova.plugin.notification.util.AssetProvider">
            <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/localnotification_provider_paths" />
        </provider>
        <receiver android:exported="false" android:name="de.appplant.cordova.plugin.localnotification.TriggerReceiver" />
        <receiver android:exported="false" android:name="de.appplant.cordova.plugin.localnotification.ClearReceiver" />
        <activity android:exported="false" android:launchMode="singleInstance" android:name="de.appplant.cordova.plugin.localnotification.ClickReceiver" android:theme="@android:style/Theme.Translucent" />
    </application>
    <uses-sdk android:minSdkVersion="19" android:targetSdkVersion="28" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="android.permission.RECORD_AUDIO" />
    <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
</manifest>

</manifest>

Answer 1

We found a solution. Issuing certificates from a different source server did the trick. The certificate, root certificate, and intermediary certificate were all valid, from what I could see. The Android application did not accept the certificates as valid for whatever reason. From what I could find, this may have occurred due to intermediary certificates expiring or Cordova using an old version of BoringSSL.

If anyone is running into this issue on a production/release build, go into the Android Manifest file and set Debuggable to true. The issue should go away. Then, rerun the production/release build with debuggable false, and the issue should reappear. Keep the production/release build on debuggable false and set android:usesCleartextTraffic to true. The issue should go away again. If you have the same results, you may be running into a similar issue where the application is not accepting the certificates (or you're using HTTP instead of HTTPS), and new certificates may solve the problem.

<application android:debuggable="true"android:usesCleartextTraffic="true">

Answer 2

create a xml file in app/src/main/res/xml/

network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
 <base-config cleartextTrafficPermitted="true" />
</network-security-config>

And add this to the AndroidManifest.xml

<application
     ....
    android:usesCleartextTraffic="true"
    android:networkSecurityConfig="@xml/network_security_config"
   >

Answer 3

I had a similar problem. Release apk is not working calls API. By default, settings for release are:

release {
    debuggable false
    minifyEnabled true
    proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}

Check proguard rules, it is necessary to check if dependencies of your app need rules to work correctly. For example, Retrofit

https://github.com/square/retrofit/blob/master/retrofit/src/main/resources/META-INF/proguard/retrofit2.pro

Answer 4

I fixed this problem by disabling minifying and then I had to remove shrinking.