A full 80 percent of Android apps are encrypting their traffic by default, according to a Transport Layer Security (TLS) adoption update from Google.
That percentage is even greater for apps targeting Android 9 and higher, with 90 percent of those encrypting traffic by default, the tech giant said on Tuesday.
TLS is a cryptographic protocol standard ratified by the Internet Engineering Task Force that provides end-to-end communications security over networks by scrambling data in transit, preventing hackers from reading it, intercepting it or tampering with it. TLS can be enabled for any internet communication or online transaction, such as a connection between a mobile shopping website and a user’s mobile browser, or between a banking app and the bank’s backend servers. The security of those connections is then verified via secure TLS certificates.
As of October 2019, a third (33 percent) of Android devices run Android 9 (Pie), the latest version of the operating system. That makes it the most popular Android version. According to Google, apps targeting Android 9 or higher automatically have a policy set by default that prevents unencrypted traffic for every domain; and, since November 1, all apps on Google Play must target at least Android 9.
“We’re excited to see that progress encrypting mobile application data on networks is mirroring the great progress happening with websites,” said Josh Aas, executive director of the open-source Let’s Encrypt project, told Threatpost. “A huge amount of sensitive information is transmitted via apps and protecting it needs to be a priority. Hopefully TLS will become a firm requirement for apps in the future.”
To help developers along that path, the latest releases of Android Studio and Google Play’s pre-launch report are geared to make developers aware of their security configuration, and they warn them when their apps allow unencrypted traffic.
“As a result, we expect these [TLS encryption] numbers to continue improving,” according to Google’s update. “Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.”
Apps can get around the default settings by including a separate Network Security Config file within their code. There are a few legitimate reasons for doing this: If an app needs to allow traffic to certain domains that are not set up for HTTPS and TLS (HTTPS, or Hyper Text Transfer Protocol Secure, indicates that a website is secured by a TLS certificate); or, if an app needs to be able to accept user-specified certificates for testing purposes (for example, connecting to a local server during testing).
It should be noted that thriving marketplaces for TLS certificates have emerged on the Dark Web, which are hawking the certs both as individual goods and packaged with an array of malware and other ancillary services. Legitimate TLS certificates allow adversaries to set up phishing and other malicious sites that look innocuous to security measures, meaning they can avoid being flagged by safe-browser software.
In the case of the Android ecosystem, the out-of-the-box default is to trust only certificates issued by an authority in the standard Android CA [certificate authority] set, Google said.
This is the latest in a series of significant strides that various stakeholders have made towards a more secure web. In June, Google announced general availability of its public domain name server (DNS)-over-HTTPS service (DoH). The move is an effort by Google to boost consumer privacy, reduce the threat of man-in-the-middle attacks, and speed up the internet with a new solution for securing domain name server traffic that uses the encrypted HTTPS channel. Also this year, the Mozilla Foundation’s Firefox group also announced it was testing a DNS-over-HTTPS service with a small group of users. And in April 2018, Cloudflare launched its own DNS-over-HTTPS service called 184.108.40.206.
Encryption has continued apace in general; in December 2015, less than 40 percent of page loads used HTTPS, according to Let’s Encrypt. As of last year, HTTPS percentages were above 70 percent across major browsers. The most popular browser, Google Chrome, boasts 85 percent of traffic loaded with HTTPS; and, Google recently started labeling all non- HTTPS sites as “not secure” to aid in user awareness.
Google’s Android encryption update comes as the ecosystem continues to face rafts of security bugs. For instance, a new Android vulnerability disclosed this week, called “StrandHogg,” could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages. And in the Android December security update, three critical-severity vulnerabilities in its Android operating system were revealed — one of which could result in “permanent denial of service” on affected mobile devices if exploited.