80% of Android Apps Use TLS to Encrypt Traffic

Back in 2018, Google announced that beginning with Android 9, it would prevent apps from using unencrypted connections by default. As of December 2019, Google notes that 80 percent of all apps in the Google Play store use TLS, and that rises to 90 percent of all apps targeting Android 9 and higher.

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

That last sentence is a bit concerning. If app developers want to explicitly make their apps communicate through unencrypted connections, that’s fine, but as far as I can tell there is no way that consumers are made aware of this.

Just as modern browsers warn me that the website I’m visiting doesn’t use encryption, Google should inform users when they are using apps that do so as well. I’d be happy with a notification on the Google Play store page for such apps that “This app sends network traffic over unencrypted channels” or something like that.

(Yes, users could set up a packet analysis tool to look at the data their phone is sending, but they shouldn’t have to do so).

HTTrack Website Copier for Android

HTTrack Website Copier is a free, open source solution for making local mirrors of websites. What I didn’t realize until recently is that there is an Android version of the utility available on the Google Play Store.

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

Android’s SMS & Call Log Restrictions

For several years now, I and a lot of other Android users have used the free, open source app SMS Backup+ to backup call logs and text messages. What made SMS Backup+ such a great app is that not only did it do traditional backups, but it also allowed users to push the call log to Google Calendar and send every SMS to a GMail account, with custom tagging.

But SMS Backup+ is about to become a casualty of Google’s efforts to better protect its users’ privacy–efforts which often seem to also be aimed at further closing what was once a much more open ecosystem than its competitors (and one of the things that attracted many users to Android rather than iOS).

Google has been burned repeatedly by Android malware that is able to access SMS and call logs, and use that to spy on users or exploit that ability to defraud users.

In an effort to better protect users, Google decided to limit which apps can access SMS and Call Log permissions.

Google Play restricts the use of high risk or sensitive permissions, including the SMS or Call Log permission groups.

If your app does not require access to Call Log or SMS permissions, you must remove these permissions from your app’s manifest. Details on policy compliant alternative implementation are also detailed below.

If you believe your app meets the policy requirements for acceptable use or is eligible for an exception, you should declare any Call Log or SMS permissions directly through the Play Console.

Apps that fail to meet policy requirements or submit a Declaration Form may be removed from Google Play.

. . .

For apps requesting access to the SMS or Call Log permissions, the intended and permitted uses include default SMS handling, default phone handling, or Assistant handling capability.

Apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any of the above permissions and must immediately stop the use of the permission when they no longer are the default handler.

Notice that backing up SMS or Call Logs, much less pushing SMS message into something like GMail is not on the list of “intended and permitted uses.” I assume Google wants users who wish to maintain backups up SMS messages to use its own Android backup services rather than rely on third party tools. That’s one less security headache for Google, presumably.

The developer of SMS Backup+, Jan Berkel, says he did apply for an exception to the new policy, but was denied,

Hello everyone. I’m sorry about this situation, SMS Backup+ will no longer have access to Gmail, mainly because it’s not an email reading app.

I applied for an exception but it was declined, as expected. Vanilla IMAP might work, but for how long I wonder. And it’s very tricky to set up for a casual user. Unfortunately the Android platform is getting more and more closed.

I’m not sure what to do at this point, either remove the app from the store or release a new version which removes the automatic account setup, since that is broken / will be broken soon.

There are still ways to get backups of SMS and Call Logs and push them to Google Calendar or Gmail, but these will require a lot more technical savvy and effort on the part of users. And even those workarounds may soon be on the Google chopping block.

And with that, a highly useful app that likely had hundreds of thousands of users will disappear and, with it, the functionality that those users found helpful.

Android’s Real Security Problem

Cameron Summerson makes an excellent point about the latest Android vulnerability: Android’s real security problem is the manufacturers,

Currently, manufacturers are doing a terrible job of protecting their users, full stop. While not getting full OS updates (or even point releases) is annoying at best, not getting security updates is unacceptable. It sends a message that can’t be ignored: it says that your phone manufacturer doesn’t care about your data. Your info isn’t important enough for them to protect.

Security updates aren’t huge like full OS updates or even point releases. They’re released monthly by Google, so they’re much smaller and easier to bake into the system—even for third-party manufacturers. Again, there’s no real excuse not to make this a priority.

Carriers also play a significant role in slowing down Android updates. All of these companies that are more than happy to take consumers’ money seem reticent to do beyond the bare minimum to make sure they’re protected on the devices and networks they choose.

As Duo Security notes, the result of this insanity is that “90 percent of Android devices were not on the latest security patch released 26 days prior.”

Shelter for Android–An Android Sandbox App

Shelter is a free, open source app for Android that implements a limited sandbox where you can run other apps.

Run “Big Brother” apps inside the isolated profile so they cannot access your data outside the profile

“Freeze” (disable) background-heavy or seldom-used apps when you don’t need them. This is especially true if you use apps from Chinese companies like Baidu, Alibaba, Tencent.

Clone apps to use two accounts on one device