Google announced this week that 80 percent of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90 percent of them encrypting traffic by default.
Android is committed to keeping users, their devices, and their data safe. One of the ways that Google is keeping data safe is by protecting network traffic that enters or leaves an Android device with Transport Layer Security (TLS).
Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.
The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app.
This feature can customize which Certificate Authorities (CA) are trusted for an app's secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts. It also safely debugs secure connections in an app without added risk to the installed base; protects apps from accidental usage of cleartext traffic; and restricts an app's secure connection to particular certificates.
Since Nov. 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.
The latest releases of Android Studio and Google Play’s pre-launch report warn developers when their app includes a potentially insecure Network Security Configuration (for example, when they allow unencrypted traffic for all domains or when they accept user provided certificates outside of debug mode).
This encourages the adoption of HTTPS across the Android ecosystem and ensures that developers are aware of their security configuration.
No comments:
Post a Comment