HTTPS will now be the default for all Android Apps
Android P will default to HTTPS connections for all apps
Android P, the next version of Google’s ubiquitous mobile OS which will soon be available to developers, will default to HTTPS connections for all apps. Dave Burke, the VP of Engineering for Android announced some of the changes we can expect in Android P, including better connection security.
As part of a larger effort to move all network traffic away from cleartext (unencrypted HTTP) to TLS, we’re also changing the defaults for Network Security Configuration to block all cleartext traffic. You’ll now need to make connections over TLS, unless you explicitly opt-in to cleartext for specific domains.
This change will apply to each every app that will be made available on Android P. Granted, there are some specific workarounds for apps or users that may require an HTTP connection. A specific declaration will need to be made in the app’s manifest if any HTTP connections are required. Users will be able to control this via Android P’s Network Security Configuration file.
Additionally, users will be able to allow or forbid HTTP connections on a per-domain basis, or at the app level. This is similar to Apple’s App Transport Security feature. Apple has made ATS a default since 2015, and it requires apps to add a custom configuration file in order to made HTTP connections. Apple has also bolstered ATS by only supporting TLS 1.2 and onward, in addition to forward secrecy.
Par for the Course
In July Google will release a Chrome update that effectively bans HTTP connections in its browser. As we have covered exhaustively, HTTPS will become the new default when Google and the rest of browser begin issuing warnings about HTTP sites that are “not secure” this summer.
With that in mind, it only makes sense that Google would also be ramping up pressure on its mobile platform, especially considering that more people now use mobile devices than desktop computers. And considering that the majority of the apps on these mobile platforms are making connections, it only makes sense that Google would want those connections to be made securely.
In addition to requiring apps make encrypted connections by default, Google will also be stepping up other safeguards with Android P. Namely by restricting apps’ access to other features like the phone’s camera, microphone, etc.
To better ensure privacy, Android P restricts access to mic, camera, and all SensorManager sensors from apps that are idle. While your app’s UID is idle, the mic reports empty audio and sensors stop reporting events. Cameras used by your app are disconnected and will generate an error if the app tries to use them. In most cases, these restrictions should not introduce new issues for existing apps, but we recommend removing these requests from your apps.
Android P is expected to be released in quarter three of 2018, but you can expect more information about the upcoming release next month at Google I/O.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown