New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Real world Android 4.4.2 doesn't handle TLS 1.2 #258

Closed
frkay opened this Issue Nov 11, 2015 · 7 comments

Comments

Projects
None yet
5 participants
@frkay

frkay commented Nov 11, 2015

Hello,
the wikipedia page about TLS has a web browser support table:
https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
it states that the Android 4.4-4.4.4 browser (not Chrome) has TLS 1.1 and 1.2 disabled by default, SSL Labs reports that TLS 1.1 and 1.2 are supported https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2, on a real world Samsung Galaxy S4 mini running Android 4.4.2 I noticed that TLS 1.1 works and that TLS 1.2 is disabled (and did not find a way to enable it), I will add screenshots later on (not my phone). This is somewhat disturbing, I don't know if other KitKat phones behave this way, but perhaps SSL Labs should add a foot note concerning Android 4.4.2, since what is currently reported is misleading for at least some Android devices.
On the other hand when IE 8-10 / Win 7 are reported to handle only TLS 1.0 this is effectively the default behaviour but enabling TLS 1.1+ is not that difficult. Regarding Android 4.4.x I'm a bit lost now, could you use the SSL browser test to gater real world results and give a better picture of how TLS is configured on KitKat devices? PCI DSS 3.1 has set the end of June 2016 deadline for TLS 1.0 and it looks like Android 4.4 will still be in use by then.
Cheers

@selecadm

This comment has been minimized.

Show comment
Hide comment
@selecadm

selecadm Nov 12, 2015

Indeed.

Android 5.0: https://developer.android.com/about/versions/android-5.0-changes.html

TLSv1.2 and TLSv1.1 protocols are now enabled

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

Protocol Enabled by default (API Levels)
TLSv1.1 20+
TLSv1.2 20+

https://en.wikipedia.org/wiki/Android_version_history

Android 4.4W–4.4W.2 KitKat, with wearable extensions (API level 20)

http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/

…starting with API level 20+ (Android 4.4 for watch, Kitkat Watch and Android 5.0 for phone, Lollipop) they are enabled

selecadm commented Nov 12, 2015

Indeed.

Android 5.0: https://developer.android.com/about/versions/android-5.0-changes.html

TLSv1.2 and TLSv1.1 protocols are now enabled

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

Protocol Enabled by default (API Levels)
TLSv1.1 20+
TLSv1.2 20+

https://en.wikipedia.org/wiki/Android_version_history

Android 4.4W–4.4W.2 KitKat, with wearable extensions (API level 20)

http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/

…starting with API level 20+ (Android 4.4 for watch, Kitkat Watch and Android 5.0 for phone, Lollipop) they are enabled

@frkay

This comment has been minimized.

Show comment
Hide comment
@frkay

frkay Nov 12, 2015

Screenshots of an Android 4.4.2 native browser as seen by SSL Labs browser tests:
screenshot_2015-11-10-13-52-30
screenshot_2015-11-10-13-54-24

frkay commented Nov 12, 2015

Screenshots of an Android 4.4.2 native browser as seen by SSL Labs browser tests:
screenshot_2015-11-10-13-52-30
screenshot_2015-11-10-13-54-24

@ivanr

This comment has been minimized.

Show comment
Hide comment
@ivanr

ivanr Nov 12, 2015

Contributor

For Android, I obtained client capabilities by running an emulator to launch each of the available Android versions. It's possible that the image was "contaminated" and TLS 1.2 enabled even if that's not the default. I'll have to look into it again.

Contributor

ivanr commented Nov 12, 2015

For Android, I obtained client capabilities by running an emulator to launch each of the available Android versions. It's possible that the image was "contaminated" and TLS 1.2 enabled even if that's not the default. I'll have to look into it again.

@ivanr ivanr added the bug label Nov 12, 2015

@frkay

This comment has been minimized.

Show comment
Hide comment
@frkay

frkay Nov 25, 2015

After some search I think that the problem is that most smartphone vendors did not ship stock Android, this article clearly states that Samsung replaced the default browser by its own flavor of Chrome 28:
http://www.quirksmode.org/blog/archives/2015/02/chrome_continue.html
Early September I was somewhat surprised to see that some older versions of Chrome still had an important market share on mobile/tablets this is probably also related.
chrome28

frkay commented Nov 25, 2015

After some search I think that the problem is that most smartphone vendors did not ship stock Android, this article clearly states that Samsung replaced the default browser by its own flavor of Chrome 28:
http://www.quirksmode.org/blog/archives/2015/02/chrome_continue.html
Early September I was somewhat surprised to see that some older versions of Chrome still had an important market share on mobile/tablets this is probably also related.
chrome28

@ivanr

This comment has been minimized.

Show comment
Hide comment
@ivanr

ivanr Jun 15, 2016

Contributor

Thanks for your analysis. I think that, strictly speaking, there is no such thing as Android. We have many, many variations instead.

Contributor

ivanr commented Jun 15, 2016

Thanks for your analysis. I think that, strictly speaking, there is no such thing as Android. We have many, many variations instead.

@jakub-g

This comment has been minimized.

Show comment
Hide comment
@jakub-g

jakub-g Dec 6, 2016

sorry to necropost, but @frkay did you do dig more into the issue? It would be interesting for us if there are any highly-used Android 4.4 devices that support only TLS 1.0 and nothing newer as we plan to deprecate TLS 1.0 in my company. Thanks!

jakub-g commented Dec 6, 2016

sorry to necropost, but @frkay did you do dig more into the issue? It would be interesting for us if there are any highly-used Android 4.4 devices that support only TLS 1.0 and nothing newer as we plan to deprecate TLS 1.0 in my company. Thanks!

@Shoaib3008757

This comment has been minimized.

Show comment
Hide comment
@Shoaib3008757

Shoaib3008757 Jun 21, 2017

its not working on 4.4.4 and 4.4.2

Shoaib3008757 commented Jun 21, 2017

its not working on 4.4.4 and 4.4.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment