Android P will default to HTTPS connections for all apps
Android P, the next version of Google’s ubiquitous mobile OS which will soon be available to developers, will default to HTTPS connections for all apps. Dave Burke, the VP of Engineering for Android announced some of the changes we can expect in Android P, including better connection security.
As part of a larger effort to move all network traffic away from cleartext (unencrypted HTTP) to TLS, we’re also changing the defaults for Network Security Configuration to block all cleartext traffic. You’ll now need to make connections over TLS, unless you explicitly opt-in to cleartext for specific domains.
This change will apply to each every app that will be made available on Android P. Granted, there are some specific workarounds for apps or users that may require an HTTP connection. A specific declaration will need to be made in the app’s manifest if any HTTP connections are required. Users will be able to control this via Android P’s Network Security Configuration file.
Additionally, users will be able to allow or forbid HTTP connections on a per-domain basis, or at the app level. This is similar to Apple’s App Transport Security feature. Apple has made ATS a default since 2015, and it requires apps to add a custom configuration file in order to made HTTP connections. Apple has also bolstered ATS by only supporting TLS 1.2 and onward, in addition to forward secrecy.
Par for the Course
In July Google will release a Chrome update that effectively bans HTTP connections in its browser. As we have covered exhaustively, HTTPS will become the new default when Google and the rest of browser begin issuing warnings about HTTP sites that are “not secure” this summer.
With that in mind, it only makes sense that Google would also be ramping up pressure on its mobile platform, especially considering that more people now use mobile devices than desktop computers. And considering that the majority of the apps on these mobile platforms are making connections, it only makes sense that Google would want those connections to be made securely.
In addition to requiring apps make encrypted connections by default, Google will also be stepping up other safeguards with Android P. Namely by restricting apps’ access to other features like the phone’s camera, microphone, etc.
To better ensure privacy, Android P restricts access to mic, camera, and all SensorManager sensors from apps that are idle. While your app’s UID is idle, the mic reports empty audio and sensors stop reporting events. Cameras used by your app are disconnected and will generate an error if the app tries to use them. In most cases, these restrictions should not introduce new issues for existing apps, but we recommend removing these requests from your apps.
Android P is expected to be released in quarter three of 2018, but you can expect more information about the upcoming release next month at Google I/O.