-
Notifications
You must be signed in to change notification settings - Fork 5
TLS 1.2 support in Android 4.x
TLS (Transport Layer Security) is the successor to SSL and is a widely-used security protocol which provides the security later of HTTPS.
There are currently 4 versions of TLS in usage:
- TLS 1.0 was released in 1999 and features a number of known protocol vulnerabilities along with support for weak cryptography which is not up to modern standards.
- TLS 1.1 doesn't have any known protocol vulnerabilities, but shares the same weak cryptography as TLS 1.0. Most software moved straight from TLS 1.0 to TLS 1.2, so this version is not in widespread use.
- TLS 1.2 was released in 2008 and whilst it suffered from slow adoption by a number of major platforms and browsers, it is now the most widely used version of TLS and underpins most of the internet.
- TLS 1.3 is the very latest version of TLS and is not yet in widespread use.
As of 2021, TLS 1.0 and 1.1 are now widely deprecated and TLS 1.2 is considered the baseline standard.
Prior to API Level 20 (Android 4.4W), Android did not enable TLS 1.2 by default on SSL sockets.
Not only that, but whilst the documentation states that TLS 1.2 is "supported" as far back as API Level 16, in practice there is a mixed picture of support for TLS 1.2 across different manufacturers, devices and OS versions, so support for TLS 1.2 cannot be guaranteed.
There are various workarounds that can be used to attempt to force TLS 1.2 on Android 4.x, however these tend to suffer from a number of problems:
- Inconsistent and buggy behaviour between manufacturers, device and OS versions.
- There is often a need to employ Google Play services to patch the device's security provider to upgrade it to support TLS 1.2. This carries with it a requirement to include a dependency on the Google Play services basement, along with a requirement for the phone to have access to Google services, which nowadays a sizeable minority do not.
In short, our investigations concluded that forcing TLS 1.2 on Android 4.x is unreliable and impractical for use in the iProov SDK.
In accordance with our commitment to security best practice, iProov promotes TLS 1.2 as the standard for client-server encryption.
However, at the same time, we have had a small number of customers who have required support for Android 4.x, and we have therefore been required to maintain limited, specific support for TLS 1.0 and 1.1 on our EU platform to support those customers who require support for Android 4.x devices.
All other iProov regional platforms support TLS 1.2 only.
As of 2021, we are now seeing only extremely small numbers of transactions from Android 4.x, and will now be proceeding with the removal of TLS 1.0 support from our EU platform, which will mean that our entire global platform has a baseline of TLS 1.2 support. This will allow us to ensure the very highest levels of security for all users of our platform, regardless of which endpoint they connect to.
This will also result in us dropping support for Android 4.x, which will have the added benefit of allowing us to remove various workarounds from our own SDK to support API 19 and fully modernise our codebase, which should improve overall reliability and compatibility of the SDK.
- 8 March 2021 - iProov announces deprecation of TLS 1.0 from our EU platform.
- Between March and September - iProov will release Android Biometrics SDK 7.0 which increases the minimum supported API level from 19+ (Android 4.4+) to API 21+ (Android 5.0+).
- 8 September 2021 - The latest date by which iProov will have removed TLS 1.0 from our EU platform, after which point, any end-users still on Android 4.x will no longer be able to use iProov.
NOTE: From March 2021, we will begin consulting with all customers utilising the EU platform, with a view to accelerating the removal of TLS 1.0 with the consent of all affected customers.
The next major SDK release will be dropping support entirely for Android 4.x.
However, customers who need to support Android 4.x for the time being (e.g. on current SDK versions), can do so by establishing a reverse proxy to accept TLS 1.0 traffic and relay it to iProov over TLS 1.2. Instructions on setting up a reverse proxy to iProov can be found here.
iOS has supported TLS 1.2 since iOS 5. Given that our iOS Biometrics SDK supports iOS 9+, this is not an issue.
All browsers supported by the Web SDK support TLS 1.2, so this is not an issue.
NIST Special Publication 800-52 provides detailed background and guidance around TLS.
Of particular relevance to readers in the UK is the guidance from the National Cyber Security Centre.