ThoughtsAs anticipated, here is a very recent addition to the code and is still a bit immature. I consider it’s a step in the proper course for Android; to be honest I wasn’t expecting anything like this to be applied. I think it gets more mature in future Android variations. I trust that builders will eventuall be capable of enforce nice things like domain restrictions, whitelisting, necessities for sure certificates pinning per domain etc via the hot NetworkSecurityPolicy class. As it stands however, this has the ability to create a variety of issues for developers.
If a developer decides to enable it, presumably all cleartext site visitors might be blocked. This will come with traffic from advertisement libraries until if they are up to date to HTTPS. Apple’s ATS system is more granular: It can allows builders to claim that comms for actual hosts wish to be secure by default. This way, an app can make sure that comms with certain backends are secure but still let possibly insecure ads move through.