#15951: fix: Android production build permits cleartext traffic globally

## Fix Summary The Android app enables cleartext HTTP globally via `network_security_config` base policy (`cleartextTrafficPermitted="true"`). Because the production manifest applies this config, HTTP/WS traffic can be intercepted and modified on hostile adjacent networks, including credential-bearing gateway flows. ## Issue Linkage Fixes #15950 ## Security Snapshot - CVSS v3.1: 8.3 (High) - CVSS v4.0: 8.7 (High) ## Implementation Details ### Files Changed - `apps/android/app/src/debug/res/xml/network_security_config.xml` (+11/-0) - `apps/android/app/src/main/AndroidManifest.xml` (+2/-0) - `apps/android/app/src/main/res/xml/network_security_config.xml` (+3/-10) - `apps/android/app/src/test/java/ai/openclaw/android/NetworkSecurityPolicyTest.kt` (+48/-0) - `src/security/android-network-security-config.test.ts` (+29/-0) ### Technical Analysis Root cause: the Android app ships a global base config with `cleartextTrafficPermitted="true"` in `apps/android/app/src/main/res/xml/network_security_config.xml:4`, and the production manifest points to that file via `android:networkSecurityConfig` in `apps/android/app/src/main/AndroidManifest.xml`. This overrides the secure default for modern target SDKs and permits cleartext transport broadly unless explicitly constrained. Fix approach: enforce secure defaults in release (`base-config` false), isolate any cleartext exceptions to debug/dev-only variants, and add regression coverage that prevents production cleartext drift. ## Validation Evidence - Command: `pnpm build && pnpm check && pnpm test` - Status: passed ## Risk and Compatibility non-breaking; no known regression impact ## AI-Assisted Disclosure - AI-assisted: yes - Model: GPT-5.3-Codex <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR properly fixes a high-severity security vulnerability where the Android app globally permitted cleartext HTTP traffic in production builds. The fix enforces secure defaults by setting `cleartextTrafficPermitted="false"` in the release network security config, while isolating development-only cleartext exceptions to the debug build variant. The implementation includes comprehensive regression tests in both Kotlin and TypeScript to prevent future drift. The approach correctly leverages Android's source set hierarchy where debug configs completely override main configs for debug builds. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no identified risks - The security fix is well-implemented with proper separation between release and debug configurations, comprehensive test coverage prevents regressions, and the changes are focused on the specific vulnerability without introducing new attack surfaces - No files require special attention _{Last reviewed commit: 080631f} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->