80 percent of Android apps now encrypt their traffic by default

• Google has been pushing Android developers globally to secure their mobile traffic since 2017.
• Apps targeting Android 9 or higher will already have the encryption policy set by default for every domain.

As of October 2019, 80 percent of all Android apps were found using Transport Layer Security (TLS) to encrypt their network traffic, according to the TLS adoption update from Google.

How did Google do it?

The giant’s new security feat for apps is a big leap towards providing better security and privacy to users since most of the communication is happening over the Internet, or on a network.

• Google has been pushing Android developers globally to secure their mobile traffic since 2017.
• However, Google introduced the Network Security Configuration file with Android 7 in 2016, which allowed app developers to opt out of using cleartext when performing network communication.
• Then in 2018, with the release of Android 9, Google further mandated that any apps targeting Android 9 or higher should automatically use a default policy for encrypted traffic.
• Apps targeting Android 9 or higher will already have the encryption policy set by default for every domain.

“We’re happy to announce that 80 percent of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90 percent of them encrypting traffic by default,” an excerpt from the blog read.

The motive behind

Since November 1, all apps on Google Play must target at least Android 9.

“As a result, we expect these [TLS encryption] numbers to continue improving,” according to Google’s update. “Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.”

Also, the latest releases of Android Studio and Google Play’s pre-launch report is intended to help developers along that path and make them aware of their security configuration. They will also be warned when their apps allow any unencrypted traffic.

Understanding TLS

A cryptographic protocol, ratified by the Internet Engineering Task Force, that provides end-to-end communications security over networks by scrambling data in transit.

• The cryptographic protocol standard prevent hackers from reading, intercepting or tampering with the data.
• It is widely used for internet communications, such as data exchange over a mobile shopping website, and online transactions, like happens during checkout through bank servers. The security of those connections is then verified via secure TLS certificates.

Comments

“We’re excited to see that progress encrypting mobile application data on networks is mirroring the great progress happening with websites,” said Josh Aas, executive director of the open-source Let’s Encrypt project, told Threatpost. “A huge amount of sensitive information is transmitted via apps and protecting it needs to be a priority. Hopefully, TLS will become a firm requirement for apps in the future.”

However, one also needs to note that there’s a thriving market for TLS certificates on the Dark Web too. While some may be genuine, but some are packaged with an array of malware and other ancillary services, meaning those would go undeterred and unflagged by safe-browser software.