Google Turns TLS on By Default on Android P

Applications targeting the next version of Android (Android P) are required to use encrypted connections by default, Google said on Thursday.

To keep user data and devices safe, the company is protecting all inbound and outbound data on Android devices with Transport Layer Security (TLS) in transit. Thus, applications on Android P are no longer allowed to use unencrypted connections by default.

This is the latest step the Internet giant has taken to keep Android users better protected, after preventing accidental unencrypted connections on Android (6.0) Marshmallow.

The search company also added the Network Security Config feature to Android (7.0) Nougat, allowing apps to indicate that they do not intend to send network traffic without encryption.

However, Android Nougat and Oreo still allowed cleartext connections, necessary for legacy purposes, such as establishing a connection to an old server.

In Android P, currently available as Developer Preview, TLS is turned on by default, Google says. Applications that already use the protocol for all of their connections won’t be affected by the change, but those that don’t should be updated to use TLS to encrypt communications.

“Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections,” Chad Brubaker, Senior Software Engineer Android Security, notes in a blog post.

He also points out that mobile devices are at risk because they connect to different networks, including public Wi-Fi hotspots.

“All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user,” Brubaker says.

To update their applications to use TLS, developers only need to implement the protocol to their servers, and then change all URLs in the app and server responses to HTTPS. When making a socket, devs should use an SSLSocketFactory instead of a SocketFactory, Brubaker points out.

For applications that still require cleartext connections for legacy purposes, changes should be made to the app’s network security configuration to allow such connections.

If the application supports opening arbitrary content from links over insecure connections, the cleartext connections to the developer’s servers should be disabled while they are enabled for arbitrary hosts, Brubaker advises.

Google has been long advocating for the adoption of HTTPS over HTTP and started pushing encrypted pages to the top of search results lists several years ago. Other companies have been pushing for an encrypted Internet as well, including Apple, GitHub, WordPress, and others.

Related: Google Patches 9 Critical Android Vulnerabilities in April 2018 Update

Related: 3 Million New Android Malware Samples Discovered