Recently Google has revealed that 80% of Android apps now encrypt all traffic by default. Read on to know more…
Since 2017, Google has been pushing Android developers globally to secure their mobile data traffic. However, Google introduced the Network Security Configuration file with Android 7 in 2016, which allowed app developers to opt out of using cleartext when performing network communication. Then in 2018, with the release of Android 9, Google further mandated that any apps targeting Android 9 or higher should automatically use a default policy for encrypted traffic.
As of October 2019, 80 percent of all Android apps were found using Transport Layer Security (TLS) by default to encrypt their network traffic, according to the TLS adoption update from Google. Apps targeting Android 9 or higher will already have the encryption policy set by default for every domain.
In effect, this means all apps that are being actively updated will be forced to block cleartext traffic by default unless the developer creates specific opt-outs. All other apps can still exist on Google Play unaffected. Many apps only receive updates on a sporadic basis, but when a developer decides it’s time to give their app a fresh coat of paint, they will at that point have to support only encrypted traffic by default. In other words, the 80% figure touted by Google today will likely only increase.
TLS is a cryptographic protocol used by all HTTPS domains to secure traffic over a network. TLS is ratified by the Internet Engineering Task Force, that provides end-to-end communications security over networks by scrambling data in transit. This cryptographic protocol standard prevent hackers from reading, intercepting or tampering with the data. It is widely used for internet communications, such as data exchange over a mobile shopping website, and online transactions, like happens during checkout through bank servers. The security of those connections is then verified via secure TLS certificates.
Better Mobile Security
Google’s new security feat for apps is a big leap towards providing better security and privacy to users since most of the communication is happening over the Internet, or on a network.
“We’re happy to announce that 80 percent of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90 percent of them encrypting traffic by default,” an excerpt from the blog read. Since November 1, all apps on Google Play must target at least Android 9. “As a result, we expect these [TLS encryption] numbers to continue improving,” according to Google’s update. “Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.”
Also, the latest releases of Android Studio and Google Play’s pre-launch report is intended to help developers along that path and make them aware of their security configuration. They will also be warned when their apps allow any unencrypted traffic.
In addition to getting Android app developers to use HTTPS, Google has also been successful at getting websites to adopt the new standard as opposed to using HTTP which is vulnerable to SQL injections as well as cross Site Scripting (XSS).