logo
 
  1. IT-Security >
  2. Cyber Security Nachrichten >
  3. An Update on Android TLS Adoption


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

An Update on Android TLS Adoption


IT Security Nachrichten vom | Direktlink: feedproxy.google.com Nachrichten Bewertung

Posted by Bram Bonné, Senior Software Engineer, Android Platform Security & Chad Brubaker, Staff Software Engineer, Android Platform Security

banner illustration with several devices and gaming controller

Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting network traffic that enters or leaves an Android device with Transport Layer Security (TLS).

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Percentage of apps that block cleartext by default.

Percentage of apps that block cleartext by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

The latest releases of Android Studio and Google Play’s pre-launch report warn developers when their app includes a potentially insecure Network Security Configuration (for example, when they allow unencrypted traffic for all domains or when they accept user provided certificates outside of debug mode). This encourages the adoption of HTTPS across the Android ecosystem and ensures that developers are aware of their security configuration.

Example of a warning shown to developers in Android Studio.

Example of a warning shown to developers in Android Studio.

Example of a warning shown to developers as part of the pre-launch report.

Example of a warning shown to developers as part of the pre-launch report.

What can I do to secure my app?

For apps targeting Android 9 and higher, the out-of-the-box default is to encrypt all network traffic in transit and trust only certificates issued by an authority in the standard Android CA set without requiring any extra configuration. Apps can provide an exception to this only by including a separate Network Security Config file with carefully selected exceptions.

If your app needs to allow traffic to certain domains, it can do so by including a Network Security Config file that only includes these exceptions to the default secure policy. Keep in mind that you should be cautious about the data received over insecure connections as it could have been tampered with in transit.

<network-security-config>
<base-config cleartextTrafficPermitted="false" />
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">insecure.example.com</domain>
<domain includeSubdomains="true">insecure.cdn.example.com</domain>
</domain-config>
</network-security-config>

If your app needs to be able to accept user specified certificates for testing purposes (for example, connecting to a local server during testing), make sure to wrap your element inside a element. This ensures the connections in the production version of your app are secure.

<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="user"/>
</trust-anchors>
</debug-overrides>
</network-security-config>

What can I do to secure my library?

If your library directly creates secure/insecure connections, make sure that it honors the app's cleartext settings by checking isCleartextTrafficPermitted before opening any cleartext connection.

Android’s built-in networking libraries and other popular HTTP libraries such as OkHttp or Volley have built-in Network Security Config support.

Giles Hogben, Nwokedi Idika, Android Platform Security, Android Studio and Pre-Launch Report teams

...

http://feedproxy.google.com/~r/GoogleOnlineSecurityBlog/~3/mDuhhrlQkeI/an-update-on-android-tls-adoption.html

Externe Webseite mit kompletten Inhalt öffnen

➤ Ähnliche Beiträge

  • 1.

    Introducing Android 9 Pie

    vom 343.52 Punkte ic_school_black_18dp
    Posted by Dave Burke, VP of Engineering After more than a year of development and months of testing by early adopters, we're ready to launch Android 9 Pie, the latest release of Android, to the world. Android 9 harnesses the power of machine learning to make your phone smarter, simpler, and tailored to you. Read all about the new consumer features here. For developers, Android 9 includes m
  • 2.

    What’s New in Android: Q Beta 3 & More

    vom 325.81 Punkte ic_school_black_18dp
    Posted by Dave Burke, VP, Engineering Today Android is celebrating two amazing milestones. It’s Android’s version 10! And today, Android is running on more than 2.5B active Android devices. With Android Q, we’ve focused on three themes: innovation, security and privacy, and digital wellbeing. We want to he
  • 3.

    Android Studio 3.0 Canary 1

    vom 289.05 Punkte ic_school_black_18dp
    By Jamal Eason, Product Manager, Android Just in time for Google I/O 2017, we're providing a sneak peak of Android Studio 3.0 - available to download today on our canary release channel. Android Studio's our official IDE, purpose-built for Android, and we keep increasing our investment. The feature set in Android Studi
  • 4.

    Welcoming Android 10!

    vom 276.79 Punkte ic_school_black_18dp
    Posted by Stephanie Cuthbertson, Senior Director of Product Management, Android After more than a year of development and months of testing by early adopters, we’re ready to introduce Android 10 to the world! Android 10 is built around thre
  • 5.

    Previewing Android P

    vom 274.73 Punkte ic_school_black_18dp
    Posted by Dave Burke, VP of Engineering Last week at Mobile World Congress we saw that Android's ecosystem of developers, device makers, and silicon partners continues to bring amazing experiences to users worldwide. Looking ahead, today we're sharing the first developer preview of Android P, the newest version of Android. It's an
  • 6.

    Android Studio 3.2

    vom 236.86 Punkte ic_school_black_18dp
    Posted by Jamal Eason, Product Manager, Android Today, Android Studio 3.2 is available for download. Android Studio 3.2 is the best way for app developers to cut into the latest Android 9 Pie release and build the new Android App bundle. Since ann
  • 7.

    Android Studio 3.0

    vom 209.58 Punkte ic_school_black_18dp
    Posted by Jamal Eason, Product Manager, Android Android Studio 3.0 is ready to download today. Announced at Google I/O 2017, Android Studio 3.0 is a large update focused on accelerating your app development on Android. This release of Android Studio is
  • 8.

    What’s new in Android P Beta

    vom 207.39 Punkte ic_school_black_18dp
    Posted By Dave Burke, VP of Engineering Earlier today we unveiled a beta version of Android P, the next release of Android. Android P puts AI at the core of the operating system and focuses on intelligent and simple experiences. You can read more about the new user features here. For developers, Android P beta offers a range of ways to take advantage of these new smarts, especially when
  • 9.

    Android Studio 2.2

    vom 204.86 Punkte ic_school_black_18dp
    By Jamal Eason, Product Manager, Android Android Studio 2.2 is available to download today. Previewed at Google I/O 2016, Android Studio 2.2 is the latest release of our IDE used by millions of Android developers around the world. Packed with enhancements, this release has three
  • 10.

    Android Studio 3.2 Canary

    vom 199.33 Punkte ic_school_black_18dp
    Today at Google I/O 2018 we announced the latest preview of Android Studio 3.2 which includes an exciting set of features that support the Android P Developer Preview, the new Android App Bundle, and Android Jetpack. Download Android Studio 3.2 from our canary release channel today to explore
  • 11.

    Android Q Beta 2 update

    vom 164.47 Punkte ic_school_black_18dp
    Posted by Dave Burke, VP of Engineering A few weeks ago we Introduced Android Q Beta, a first look at the next version of Android. Along with new privacy features for users, Android Q adds new capabilities for developers - like enhancements for foldables, new APIs for connectivity, new media codecs and camera capabilities, NNAPI extensions
  • 12.

    FATT - A Script For Extracting Network Metadata And Fingerprints From Pcap Files And Live Network Traffic

    vom 164.28 Punkte ic_school_black_18dp
    FATT is a script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files (pcap) or live network traffic. The main use-case is for monitoring honeypots, but you can also use it for other use cases such as network foren

Kommentare ber An Update on Android TLS Adoption