Flutter Android: android:usesCleartextTraffic="false" + Network Security Config not blocking HTTP requests

I want my Flutter Android app to reject all clear‑text HTTP traffic (i.e. only allow HTTPS).

AndroidManifest.xml

xml

<application
  …
  android:usesCleartextTraffic="false"
  android:networkSecurityConfig="@xml/network_security_config">
  …
</application>

Network Security Config (android/app/src/main/res/xml/network_security_config.xml)

xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <!-- Disallow all cleartext -->
  <base-config cleartextTrafficPermitted="false"/>
</network-security-config>

What happens instead: Despite those settings, I am still able to fetch an HTTP URL in Dart/Dio, for example:

dart

final response = await Dio().get('http://httpstat.us/200');
print(response.statusCode); // prints 200

Your settings in AndroidManifest.xml and network_security_config.xml only apply to Android’s native HTTP stack, not to Dart/Dio in Flutter.

Dart (and packages like Dio) use their own networking stack (based on dart:io), which ignores Android’s usesCleartextTraffic and network_security_config settings.

Solution:

To block HTTP traffic in Flutter:

1. Manually enforce HTTPS in your Dart code. You must avoid sending any http:// requests. You can:

• Search for and disallow all http:// URLs.
• Use a wrapper or interceptor in Dio to reject non-HTTPS URLs.

2. Use a Dio interceptor to block HTTP:

Dio dio = Dio();

dio.interceptors.add(InterceptorsWrapper(
  onRequest: (options, handler) {
    if (options.uri.scheme != 'https') {
      return handler.reject(
        DioError(
          requestOptions: options,
          error: 'Cleartext HTTP is not allowed.',
          type: DioErrorType.badResponse,
        ),
      );
    }
    return handler.next(options);
  },
));

Summary:

• AndroidManifest and network config do not affect Dart/Dio.
• You must block HTTP manually in Dart code.
• Use a Dio interceptor or audit your requests to enforce HTTPS.