Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Turns TLS on By Default on Android P

Applications targeting the next version of Android (Android P) are required to use encrypted connections by default, Google said on Thursday.

Applications targeting the next version of Android (Android P) are required to use encrypted connections by default, Google said on Thursday.

To keep user data and devices safe, the company is protecting all inbound and outbound data on Android devices with Transport Layer Security (TLS) in transit. Thus, applications on Android P are no longer allowed to use unencrypted connections by default.

This is the latest step the Internet giant has taken to keep Android users better protected, after preventing accidental unencrypted connections on Android (6.0) Marshmallow.

The search company also added the Network Security Config feature to Android (7.0) Nougat, allowing apps to indicate that they do not intend to send network traffic without encryption.

However, Android Nougat and Oreo still allowed cleartext connections, necessary for legacy purposes, such as establishing a connection to an old server.

In Android P, currently available as Developer Preview, TLS is turned on by default, Google says. Applications that already use the protocol for all of their connections won’t be affected by the change, but those that don’t should be updated to use TLS to encrypt communications.

“Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections,” Chad Brubaker, Senior Software Engineer Android Security, notes in a blog post.

He also points out that mobile devices are at risk because they connect to different networks, including public Wi-Fi hotspots.

“All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user,” Brubaker says.

To update their applications to use TLS, developers only need to implement the protocol to their servers, and then change all URLs in the app and server responses to HTTPS. When making a socket, devs should use an SSLSocketFactory instead of a SocketFactory, Brubaker points out.

For applications that still require cleartext connections for legacy purposes, changes should be made to the app’s network security configuration to allow such connections.

If the application supports opening arbitrary content from links over insecure connections, the cleartext connections to the developer’s servers should be disabled while they are enabled for arbitrary hosts, Brubaker advises.

Google has been long advocating for the adoption of HTTPS over HTTP and started pushing encrypted pages to the top of search results lists several years ago. Other companies have been pushing for an encrypted Internet as well, including Apple, GitHub, WordPress, and others.

Related: Google Patches 9 Critical Android Vulnerabilities in April 2018 Update

Related: 3 Million New Android Malware Samples Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.