fix(security): enforce HTTPS-only connections (MM-557)

[Ayush-Patel-56]

Fixes - MM-557

No UI changes.

• Run the static analysis check ./gradlew check or ci-prepush.sh to make sure you didn't break anything

• If you have multiple commits please combine them into one commit by squashing them.

Summary by CodeRabbit

• Security Improvements
  • Enforced HTTPS encryption for all network communications to enhance data protection
  • Disabled cleartext network traffic to prevent unencrypted data transmission
  • Updated network security configuration to use system certificate authorities for secure connections

[coderabbitai]

Warning

Rate limit exceeded

@Ayush-Patel-56 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 40 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cafd9a83-2956-47ab-9034-57316c571192

📥 Commits

Reviewing files that changed from the base of the PR and between d1f52b1 and 98a4884.

📒 Files selected for processing (3)

• cmp-android/src/main/AndroidManifest.xml
• cmp-android/src/main/res/xml/network_security_config.xml
• core/network/src/commonMain/kotlin/org/mifos/mobile/core/network/utils/BaseURL.kt

📝 Walkthrough

Walkthrough

The Android application enforces HTTPS communication by introducing a network security configuration that disables cleartext traffic and trusts system certificates. The manifest references this new configuration, and the network utility layer now normalizes endpoint URLs to use HTTPS scheme.

Changes

Cohort / File(s)	Summary
Android Network Security Configuration cmp-android/src/main/AndroidManifest.xml, cmp-android/src/main/res/xml/network_security_config.xml	Added network security config reference to manifest and created XML resource that disables cleartext traffic and configures system certificate trust anchors.
Network Utility Updates core/network/src/commonMain/kotlin/org/mifos/mobile/core/network/utils/BaseURL.kt	Modified URL normalization logic to convert http:// to https://, preserve https:// scheme, and prepend https:// to schemeless endpoints before appending API path.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 HTTPS hops through the network with care,
Cleartext banished from the digital air,
Schemes are secured, no more http:// sight,
Android now speaks only in encrypted light,
Security strengthened, the protocol's right! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: enforcing HTTPS-only connections across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 50 minutes and 40 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@core/network/src/commonMain/kotlin/org/mifos/mobile/core/network/utils/BaseURL.kt`:
- Around line 19-25: Remove the unused helper getUrl(endpoint: String) in
BaseURL (or mark it clearly) — locate the function named getUrl and either
delete its entire definition if it's not used anywhere, or retain it only after
adding documentation and unit tests that describe expected inputs and behavior
(including handling of http/https and appending API_PATH); update any callers if
you intend to keep it and run tests to ensure no regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 09e9a9ba-1a42-458d-a19b-f7828bb39252

📥 Commits

Reviewing files that changed from the base of the PR and between 1ac71f0 and d1f52b1.

📒 Files selected for processing (3)

• cmp-android/src/main/AndroidManifest.xml
• cmp-android/src/main/res/xml/network_security_config.xml
• core/network/src/commonMain/kotlin/org/mifos/mobile/core/network/utils/BaseURL.kt