-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Android P will require apps to use TLS to encrypt all connections #2466
Comments
Seems like a problem for projects that don't use HTTPS
…On Fri, Apr 13, 2018 at 6:15 AM, Jord van der Elst ***@***.*** > wrote:
As per https://android-developers.googleblog.com/2018/03/
previewing-android-p.html and https://security.googleblog.
com/2018/04/protecting-users-with-tls-by-default-in.html
_ If your app uses TLS for all connections then you have nothing to do. If
not, update your app to use TLS to encrypt all connections._
*Android considers all networks potentially hostile and so encrypting
traffic should be used at all times, for all connections. Mobile devices
are especially at risk because they regularly connect to many different
networks, such as the Wi-Fi at a coffee shop. All traffic should be
encrypted, regardless of content, as any unencrypted connections can be
used to inject content, increase attack surface for potentially vulnerable
client code, or track the user.*
So this will mean that present BOINC for Android won't work under Android
9.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2466>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA8KgYi5ad6J8MEAYc-W8L7kp4PzQmlFks5toKTYgaJpZM4TTbg_>
.
|
I fail to see any reasonable excuse for not using TLS in 2018. Thus it shouldn't stop us from what we are required to do anyway, e.g. by GDPR. |
Is there any appetite to force HTTPS use from the BOINC/Science United project? It could just be picking two dates:
You could be easily be much more aggressive, but just creating any minimum is important IMHO. |
Right now we are at 23 projects using HTTPS (including account managers) and 15 only using HTTP.
|
I didn't check all of them, but I could find one that if you go to /get_project_config.php and look for web_rpc_url_base it isn't using HTTPS. Ex: https://milkyway.cs.rpi.edu/milkyway/get_project_config.php I think the majority of projects can just change their master_url to https and they are already mostly good? |
I don't see that we still need to do something here. However, there is one potential issue that I see here: we have a feature to allow connect from remote BOINC Manager to our Android client. Thus, I think we can close this ticket without any changes to the codebase. |
As per https://android-developers.googleblog.com/2018/03/previewing-android-p.html and https://security.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html
If your app uses TLS for all connections then you have nothing to do. If not, update your app to use TLS to encrypt all connections.
Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections. Mobile devices are especially at risk because they regularly connect to many different networks, such as the Wi-Fi at a coffee shop. All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user.
So this will mean that present BOINC for Android won't work under Android 9.
The text was updated successfully, but these errors were encountered: