#21450: Android: allow HTTP for LAN hosts
app: android
size: XS
Cluster:
Android Ed25519 Enhancements
## Summary\n- Avoid forcing HTTPS for dotted LAN hosts in Android gateway canvas URLs.\n- This fixes WebView loading on LAN/IP endpoints where the gateway serves HTTP only.\n\n## Problem\nThe Android app currently treats any host containing a dot as TLS and rewrites canvas URLs to https. For LAN IPs or local DNS (e.g., 192.168.x.x, .local), this breaks A2UI loading and yields connection errors.\n\n## Fix\nOnly auto‑enable TLS when the port is 443. This keeps HTTPS for reverse proxies while allowing HTTP on LAN endpoints.\n\n## Testing\n- Built Android debug APK locally.\n- Verified A2UI endpoint loads over HTTP on LAN.\n
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Fixed Android WebView loading on LAN/IP endpoints by removing the heuristic that forced HTTPS for any host containing a dot. The previous logic (`endpoint.host.contains(".")`) incorrectly treated LAN IPs like `192.168.x.x` and `.local` hostnames as TLS-enabled, breaking HTTP-only gateway connections.
The fix simplifies TLS detection to only check `endpoint.port == 443`, which resolves the immediate LAN issue. However, the `GatewayEndpoint` already has a `tlsEnabled` field populated from mDNS discovery that would be a more accurate source of truth for TLS detection.
<h3>Confidence Score: 4/5</h3>
- Safe to merge with low risk - fixes a real Android LAN connectivity issue
- The change correctly addresses the immediate problem of LAN HTTP connections being forced to HTTPS. The simplified port-based heuristic (port 443 only) is reasonable for the common case. Minor improvement opportunity exists to use the existing `tlsEnabled` field for more accurate TLS detection, but the current fix is functionally correct for the stated use case.
- No files require special attention
<sub>Last reviewed commit: 760466f</sub>
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#13321: android/gateway: harden manual connect identity and A2UI UX
by m888m · 2026-02-10
75.3%
#11205: Android: fix gateway connection and canvas URL for Tailscale serve
by emonty · 2026-02-07
74.8%
#5441: fix(android): resolve WebSocket handshake race condition (#1922)
by cortexuvula · 2026-01-31
73.1%
#21102: Android/Security: require TLS for non-loopback gateway sessions
by bmendonca3 · 2026-02-19
72.2%
#22056: fix(gateway): use loopback for self-connections regardless of bind ...
by usedhonda · 2026-02-20
72.2%
#7852: fix(gateway): use port from Host header for canvasHostUrl (reverse ...
by tonimelisma · 2026-02-03
71.9%
#15951: fix: Android production build permits cleartext traffic globally
by coygeek · 2026-02-14
71.9%
#19548: fix(android): show scaffold instead of raw JSON on canvas auth errors
by gregmousseau · 2026-02-17
71.5%
#22343: fix(gateway): treat private LAN hosts as local direct
by AIflow-Labs · 2026-02-21
71.3%
#23326: fix(daemon): graceful degradation on unsupported platforms
by indistinctchatter604 · 2026-02-22
71.0%