The next version of Android will default to blocking HTTP traffic in apps by default. In a blog post, Dave Burke, Android’s VP of Engineering said this is the latest step in a “larger effort to move all network traffic away from cleartext (unencrypted HTTP) to TLS… you’ll now need to make connections over TLS, unless you explicitly opt-in to cleartext for specific domains.”
This will apply to all apps that target Android P and will require a specific declaration in the app’s manifest if any HTTP connections are needed. This is controlled through the Network Security Configuration file.
You’ll be able to allow or forbid HTTP traffic for connections to specific domains, or for your entire app. If you cannot opt-out of all HTTP traffic because your app makes connections to arbitrary hosts that you cannot guarantee HTTPS availability for, such as to a user-provided URL through a WebView, you should protect connections to your own services by requiring HTTPS for those domains. Examples of these configurations are provided in this Android Developer’s Blog post.
Apple has a similar feature in iOS and macOS named App Transport Security (ATS). This feature has been turned on by default since iOS 9.0 (released in September 2015) and requires apps to add a custom configuration file to allow exemptions for HTTP traffic. In addition, ATS enforces ‘strong’ HTTPS connections by only allowing TLS 1.2 and ciphers that provide forward secrecy.
Secure by Default
Chad Brubaker, Senior Software Engineer for Android Security, directly addressed one of the pervasive myths about HTTPS: that some web pages are ‘sensitive’ and need to be encrypted, while it’s unimportant to protect other types of pages, like a blog or static homepage.
HTTPS is not just about protecting the data being sent to your visitors—it’s also about protecting the entire connection. Without HTTPS, which provides authentication that prevents DNS spoofing and content injection, any given connection can be misused to harm the client device by tracking them, or stealing or injecting data.
Brubaker writes, “All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user.”
Android P is scheduled for a release in the third quarter of 2018, and is currently available as a development preview.