Three years ago, Google started its push to tighten network traffic protection from Android devices to web services. The company has provided an update stating that 80% of Android apps have adopted the HTTPS standard by default. HTTPS encrypts network traffic, preventing third parties from intercepting data from apps.
Google provided Android app developers with tools to ensure traffic from apps were encrypted over the Transport Layer Security (TLS) protocol, enabling security of HTTP communications through HTTPS or HTTP “secure.” The added security is especially important for devices that usually connect to untrusted or open WI-FI networks such as in airports and cafes.
From 0% at the beginning of 2018, the figure for apps encrypting traffic by default steadily climbed over the past year, reaching 80% by October 2019. Google has since rolled out the HTTPS feature Network Security Configuration, which was also introduced with Android 7 Nougat in 2016, essentially a configuration file that allows app developers to define a network security policy for apps that prevented network traffic from being sent unless it was encrypted.
Android 9 Pie from 2018, additionally, prevented apps from allowing unencrypted connections for every domain by default. It should be noted that 90% of all Android 9 apps are currently encrypting network traffic through HTTPS.
The numbers are only expected to go up after Google implemented a recent rule change that requires all app updates and new apps on the Google Play Store to target Android 9 or above. Since the majority of network traffic coming from Android apps is now secure by default, any use of unencrypted connections will be at the app developer’s discretion.
In a bid to make encrypted traffic support easier, the latest releases of Android Studio and Google Play’s pre-launch report warns developers when their app includes a potentially unsecure network security configuration (e.g., if it allows unencrypted traffic for all domains or accepts user-provided certificates outside of debug mode).
Securing Android apps and installations
For apps that target Android 9 and higher, all network traffic are encrypted by default. The platform will only trust certificates issued by an authority in the standard Android CA.
App developers should implement security by design in mobile application development to ensure privacy and security in their services. Aside from installing apps from official stores, users are advised to be wary of data received over unsecure connections as it may have been tampered with in transit.
Users can also consider using a multilayered mobile security solution to prevent adware and other potentially unwanted applications (PUAs) from being installed on their devices. Here are other ways to secure mobile use:
Limit the personal information provided to apps and sites