Google mandates TLS encrypted connections for Android apps

The next version of Android will prevent apps from using unencrypted, cleartext connections by default to better protect users, Google has said.

The company has moved towards encrypting all data that leave and enter Android devices with the industry-standard Transport Layer Security (TLS) protocol, and is further tightening the requirements in Android P, which is currently in developer preview.

With Android P, "all traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user," Android security engineer Chad Brubaker wrote.

While Android Nougat and Orea allowed cleartext connections, Android P apps will communicate over TLS by default.

Developers are asked to change link address prefixes from HTTP:// to HTTPS:// in apps and server responses, to make use of TLS via Android's built-in hyper text transport protocol network stack.

Further code changes are required for developers whose apps create Transmission Control Protocol datagram sockets, using the SSLSocketFactory class for the Java programming language.

Android P will allow cleartext connections to specific domains, but Google said developers should use these only for legacy cases to avoid traffic being tampered with.

TLS has no or a negligible performance impact when used on modern devices with up-to-date software implementations, and greatly improves user experience and security.