Android support for TLS


Question

I have found that TLS1.1 and TLS1.2 is supported from API level 16 and on by default from API level 20. This corresponds to Android 4.1 (supported) and Android 4.4W (wearable) or Android 5.0 (on by default)



From a server perspective this means that you will only support clients using 4.4W or higher, since you can't rely clients to turn on TLS 1.1 and TLS 1.2 support.



Now the real question comes:



Do you even need to care about the Android version?



Hu, what do you mean? Well, should you look at the version of Android OR at the version of the browser being used. For example, Chrome on a desktop has OpenSSL libraries compiled into it (if I'm not mistaking). So couldn't a new version of Chrome on an old version of Android, support TLS1.1 and TLS1.2?



The same story goes for other browsers. I know this is an Android StackExchange, but does anyone know what the deal is on iOS? Will the browser use the system libraries for SSL or will it use it's own? Do I need to look at the browser or the OS for TLS support?



Kind regards,



Roel


Answer

Assuming you are not doing Android development, you do not need to worry about Android version.



Any serious security-minded application like Chrome on Android will use TLS 1.2. You can verify this for yourself by going to a secure website (make sure it supports TLS 1.2!) and inspecting the certificate and protocol used on the client. I have checked this on Chrome on a 4.4 Android device, and it uses TLS 1.2.



A security policy should basically rely on the TLS version, and not pay attention to what kind of client is running it. It's not worthwhile to determine the Android OS version, because the Android OS version is not what finally determines the security used.



Let's be pedantic about enumerating the possibilities.




  • Android API 20+: All browsers and applications should work with TLS 1.2

  • Android API 16-19: Some browsers and applications will work with TLS 1.2.

  • Android API 15-: I think we are not discussing these because no version supports TLS 1.2



Here are the server choices I think we are discussing:




  1. You allow only TLS 1.2 and do not check Android version. All Android API 20+ clients, and those Android API 16-19 clients using TLS 1.2 applications are expected to work.

  2. You allow TLS 1.2, 1.1, 1.0 and do not check Android version. All Android clients are expected to work. System is less secure.

  3. You allow only TLS 1.2 and check the Android version. Only Android API 20+ clients can work because you are excluding API 16-19. This is fewer supported clients than in option 1, with no increase in TLS security. So this option does not make sense.

  4. You allow TLS 1.2, 1.1, 1.0 and check the Android version. Only Android API 20+ clients are expected to work because you are excluding API 16-19. This option does not make sense because you are making the system both less usable and less secure than other options. Fewer clients will work than under option 1, and those clients will be less secure.



Checking the Android version makes your system support fewer clients, at no increase in security. Therefore, do not bother checking the Android version.



The basic security tradeoff is always how usable a system is versus how secure the system is. This applies to physical security measures, cipher suites, TLS versions, and more. TLS 1.1 and 1.0 are not as secure as TLS 1.2. You have to answer the following questions for yourself:




  1. Do the vulnerabilities in present in TLS 1.1 and 1.0 make them unsuitable for your system?

  2. Would using only TLS 1.2 be worth the tradeoff in some people not being able to use your system?


Topics


2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes