Solved: HTTP is not supported in FitBit app starting with ...

Credelius · ‎02-13-2020

Dear Android Fitbit App Team,

Looks like plain HTTP is not working again from a companion app running in Android Fitbit App starting with Android 9, which disables plain HTTP by default. See this post for details:

https://stackoverflow.com/questions/53284903/socket-io-not-working-on-android-9-api-level-28/5328701...

It breaks existing Fitbit apps that require plain HTTP to work. A fix seems to be simple and is described in the post above. You would simply need to add the following line to Fitbit App's manifest:

android:usesCleartextTraffic="true"

Can you please fix it?

JonFitbit · ‎02-19-2020

We managed to get specific local addresses added to resolve the initial issue, but we haven't been able to convince the security team that all local traffic could be unencrypted. You can use 127.0.0.1, not localhost.

I will post more info when I have it.

View best answer in original post

Gondwana · ‎02-13-2020

I've been struggling with this too. My http: (and ws:) stuff works with Android 5(!), but not 9. On Android 9, I get ERR_CLEARTEXT_NOT_PERMITTED.

Peter McLennan
Gondwana Software

Credelius · ‎02-14-2020

Looks like it can be fixed easily by Fitbit App team. I hope, they'll follow soon

Gondwana · ‎02-17-2020

I'm a bit surprised that there hasn't been feedback from more people if localhost without https is failing for everyone (there was when it happened last time).

Is anybody able to get http working over fetch() or websocket from companion on Android 9 with current Fitbit app?

Peter McLennan
Gondwana Software

Credelius · ‎02-17-2020

I don't know about others. My app is not able to talk to localhost anymore
using HTTP through fetch

JonFitbit · ‎02-19-2020

We managed to get specific local addresses added to resolve the initial issue, but we haven't been able to convince the security team that all local traffic could be unencrypted. You can use 127.0.0.1, not localhost.

I will post more info when I have it.

Credelius · ‎02-19-2020

@JonFitbit, thanks for the quick answer. I'm not saying that "all" traffic needs to be in clear. It should be optional just like it used to be. In my particular case, I use message level encryption, so side channel attacks will be more difficult than in plain TLS case, which is just a transport layer that can be easily spoofed by any client talking TLS (assuming that it's not mutual TLS).

Besides, I do need to talk to a local host somehow since Fitbit doesn't have a protocol for devices to talk to Android apps.

Implementing TLS server in an Android app would not add any additional layers of security in my case, but it will add a lot of headache:

Provisioning a server's cert issued by a trusted CA
Adding TLS to the current plain sockets comms

A lot of troubles and re-work with no obvious benefits for app users.

Credelius · ‎02-19-2020

Actually changing localhost in URL to 127.0.0.1 has helped: the Fitbit watch can talk to an Android app again, so it solved my problem.

Gondwana · ‎02-20-2020

...and for me. I can't believe I didn't try that! I suspect I actually did, but in combination with something else that wasn't working at the time.

Peter McLennan
Gondwana Software

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

HTTP is not supported in FitBit app starting with Android 9

Credelius

JonFitbit

Gondwana

Credelius

Gondwana

Credelius

JonFitbit

Credelius

Credelius

Gondwana