Android Marshmallow also added a new flag to the manifest. This flag indicates whether the application is using a cleartext network traffic such as HTTP. The flag is android:usesCleartextTraffic, and the default value is true. Setting this to false means that some system API components—such as HTTP and FTP stacks, DownloadManager and MediaPlayer—will refuse to issue HTTP traffic and will only allow HTTPS. It would be a good practice to build a third-party library that honor this setting as well. Why is this good? Well, cleartext traffic lacks confidentiality, authenticity, and protections against tampering, and data can be tempered without it being detected. This is a major risk for applications, and we can now use it to try and enforce a stronger and more secure data transport to/from our applications.

We need to remember that this flag is honored on the basis of the best effort, and it's not possible to prevent all cleartext traffic from Android applications given...