Alex Klyubin posted instructions on disabling cleartext networking in Android’s built-in HTTP stack.
Ideally, your app should use secure traffic only, such as by using HTTPS instead of HTTP. Such traffic is protected against eavesdropping and tampering.
Unfortunately that approach requires Android 6 or better. But if you’re using OkHttp you can disable cleartext networking for all versions of Android. Just configure your client’s connection specs:
OkHttpClient client = new OkHttpClient.Builder()
.connectionSpecs(Arrays.asList(
ConnectionSpec.MODERN_TLS,
ConnectionSpec.COMPATIBLE_TLS))
.build();
If you want even more control, the HTTPS page on OkHttp’s wiki shows you how.