[IMPROVEMENT] Disable HTTP for production on Android (#2357)

* Only enable HTTP and user CAs on debug builds and

* Allow User CAs in prod

* Add config on debug

* Add lint

Co-authored-by: Diego Mello <diegolmello@gmail.com>

android/app/src/debug/AndroidManifest.xml

@@ -7,7 +7,8 @@
         android:name=".MainDebugApplication"
         tools:ignore="GoogleAppIndexingWarning"
         tools:replace="android:name"
-        tools:targetApi="28" />
+        tools:targetApi="28"
+        android:networkSecurityConfig="@xml/network_security_config" />
 
     <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
 </manifest>

android/app/src/debug/res/xml/network_security_config.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config xmlns:tools="http://schemas.android.com/tools">
+    <base-config cleartextTrafficPermitted="true">
+        <trust-anchors>
+            <certificates src="system" />
+            <certificates src="user"
+                tools:ignore="AcceptsUserCertificates" />
+        </trust-anchors>
+    </base-config>
+</network-security-config>

android/app/src/main/res/xml/network_security_config.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
-<network-security-config>
-    <base-config cleartextTrafficPermitted="true">
+<network-security-config xmlns:tools="http://schemas.android.com/tools">
+    <base-config cleartextTrafficPermitted="false">
         <trust-anchors>
             <certificates src="system" />
-            <certificates src="user" />
+            <certificates src="user"
+                tools:ignore="AcceptsUserCertificates" />
         </trust-anchors>
     </base-config>
 </network-security-config>