Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Real world Android 4.4.2 doesn't handle TLS 1.2 #258

Closed
frkay opened this issue Nov 11, 2015 · 7 comments
Closed

Real world Android 4.4.2 doesn't handle TLS 1.2 #258

frkay opened this issue Nov 11, 2015 · 7 comments
Labels
bug

Comments

@frkay
Copy link

@frkay frkay commented Nov 11, 2015

Hello,
the wikipedia page about TLS has a web browser support table:
https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
it states that the Android 4.4-4.4.4 browser (not Chrome) has TLS 1.1 and 1.2 disabled by default, SSL Labs reports that TLS 1.1 and 1.2 are supported https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2, on a real world Samsung Galaxy S4 mini running Android 4.4.2 I noticed that TLS 1.1 works and that TLS 1.2 is disabled (and did not find a way to enable it), I will add screenshots later on (not my phone). This is somewhat disturbing, I don't know if other KitKat phones behave this way, but perhaps SSL Labs should add a foot note concerning Android 4.4.2, since what is currently reported is misleading for at least some Android devices.
On the other hand when IE 8-10 / Win 7 are reported to handle only TLS 1.0 this is effectively the default behaviour but enabling TLS 1.1+ is not that difficult. Regarding Android 4.4.x I'm a bit lost now, could you use the SSL browser test to gater real world results and give a better picture of how TLS is configured on KitKat devices? PCI DSS 3.1 has set the end of June 2016 deadline for TLS 1.0 and it looks like Android 4.4 will still be in use by then.
Cheers

@selecadm
Copy link

@selecadm selecadm commented Nov 12, 2015

Indeed.

Android 5.0: https://developer.android.com/about/versions/android-5.0-changes.html

TLSv1.2 and TLSv1.1 protocols are now enabled

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

Protocol Enabled by default (API Levels)
TLSv1.1 20+
TLSv1.2 20+

https://en.wikipedia.org/wiki/Android_version_history

Android 4.4W–4.4W.2 KitKat, with wearable extensions (API level 20)

http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/

…starting with API level 20+ (Android 4.4 for watch, Kitkat Watch and Android 5.0 for phone, Lollipop) they are enabled

@frkay
Copy link
Author

@frkay frkay commented Nov 12, 2015

Screenshots of an Android 4.4.2 native browser as seen by SSL Labs browser tests:
screenshot_2015-11-10-13-52-30
screenshot_2015-11-10-13-54-24

@ivanr
Copy link
Contributor

@ivanr ivanr commented Nov 12, 2015

For Android, I obtained client capabilities by running an emulator to launch each of the available Android versions. It's possible that the image was "contaminated" and TLS 1.2 enabled even if that's not the default. I'll have to look into it again.

@ivanr ivanr added the bug label Nov 12, 2015
@frkay
Copy link
Author

@frkay frkay commented Nov 25, 2015

After some search I think that the problem is that most smartphone vendors did not ship stock Android, this article clearly states that Samsung replaced the default browser by its own flavor of Chrome 28:
http://www.quirksmode.org/blog/archives/2015/02/chrome_continue.html
Early September I was somewhat surprised to see that some older versions of Chrome still had an important market share on mobile/tablets this is probably also related.
chrome28

@ivanr
Copy link
Contributor

@ivanr ivanr commented Jun 15, 2016

Thanks for your analysis. I think that, strictly speaking, there is no such thing as Android. We have many, many variations instead.

@jakub-g
Copy link

@jakub-g jakub-g commented Dec 6, 2016

sorry to necropost, but @frkay did you do dig more into the issue? It would be interesting for us if there are any highly-used Android 4.4 devices that support only TLS 1.0 and nothing newer as we plan to deprecate TLS 1.0 in my company. Thanks!

@Shoaib3008757
Copy link

@Shoaib3008757 Shoaib3008757 commented Jun 21, 2017

its not working on 4.4.4 and 4.4.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.