Google: 80% of Android apps encrypt traffic by default

Google’s work to tighten up protection of network traffic from Android devices to web services that began three years ago is finally paying off.    

In 2016, Google gave Android app developers the tools to ensure traffic from apps were encrypted over the Transport Layer Security protocol, which enables the secure version of HTTP communications known as HTTPS or HTTP ‘secure’. 

Google considers the security feature especially important for mobile apps because of how frequently smartphones connect to untrusted wifi networks, such as at cafes and airports. But progress has been slow. 

That same year Apple introduced App Transport Security, which would be mandatory from January 1, 2017 and forces iOS apps that connect to web services do so over an HTTPS connection. It was enabled by default in iOS 9

But as Google revealed today, at the beginning of 2018, 0% of apps were blocking cleartext communications by default. The good news is that the figure steadily climbed over the past year and reached 40% in May 2019, which was an inflection point that saw the default behavior to accelerate and reach 80% by October 2019. 

Google’s answer to the HTTPS app challenge was Network Security Config, a feature introduced with Android 7 Nougat from 2017. The configuration file allowed app developers to define a network security policy for apps through a configuration file so that apps could state an intent not to send network traffic unless it was encrypted. 

Improvements to the seemingly slow progress is the result of default behaviors Google has introduced in new versions of Android over the past two years. The other reason for slow improvements is that many Android devices don't get updated by carriers and device makers. iPhone users have historically adopted new versions of iOS much faster than Android.   

Android 9 Pie from 2018 for the first time prevented apps that target this version of Android from allowing unencrypted connections by default. Apps targeting Android 7 Nougat from 2017 and Android 6 Oreo from 2016 allowed plaintext connections.  

So, while Google’s Android initiative kicked off in 2016, it wasn’t until this year that a majority of apps block cleartext transmissions by default. 

Read more: Google reveals TAG researchers track 270 government-backed hacking groups

Google predicts that more traffic from Android devices will happen over the next few months after a recent rule change that requires all app updates and new apps from the Google Play Store to target Android 9 or higher.      

“As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer,” explained Google software engineers

Percentage of apps that block cleartext by default.Credit: LT
Percentage of apps that block cleartext by default.

Tags GoogleAppleAndroidiosTLSHTTPS

Show Comments