Feature #72
closedDisable SSLv3 for API 19 (KitKat)
0%
Description
Charles Fisher <chasjfish@gmail.com> requested disabling SSLv3 on Android API 19 (KitKat), which is insecure and can lead to man-in-the middle attacks. It is already disabled systemwide on API > 19.
It is possible to disable SSLv3 in API 19 using a custom SSLSocketFactory with `setEnabledProtocols()`.
https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/
https://developer.android.com/reference/javax/net/ssl/SSLSocketFactory.html
https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
http://callistaenterprise.se/blogg/teknik/2011/11/24/android-tlsssl-mutual-authentication/
Updated by Soren Stoutner about 8 years ago
We also want to disable the following ciphers:
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Updated by Soren Stoutner about 8 years ago
- Subject changed from Disable SSLv3 for KitKat (API 19) to Disable SSLv3 for API 19 (KitKat)
- Description updated (diff)
Updated by Soren Stoutner about 8 years ago
It turns out this is more difficult than expected. It would require creating a custom `SSLSocketFactory` and then applying it to a custom `DefaultHTTPClient`, which would then require using manual HTTP get, post, and head commands and manually processing all responses instead of using WebView's builtin commands. It would be a lot of work, prone to a lot of corner case bugs, for a solution to an old version of Android that will (eventually) go away.
Updated by Soren Stoutner about 8 years ago
An example custom `SSLSocketFactory` is below:
import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; public class KitKatSocketFactory extends SSLSocketFactory { private SSLSocketFactory sslSocketFactory; public KitKatSocketFactory() throws NoSuchAlgorithmException, KeyManagementException { SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); // The first `null` is the `KeyManager`, the second `null` is the `TrustManager`, and the third `null` is `SecureRandom`. sslContext.init(null, null, null); sslSocketFactory = sslContext.getSocketFactory(); } private Socket disableSSLv3(Socket socket) { if ((socket != null) && (socket instanceof SSLSocket)) { String[] originalSocketProtocolsArray = ((SSLSocket) socket).getEnabledProtocols(); ArrayList<String> newSocketProtocolsArrayList = new ArrayList<>(); for (String originalSocketProtocolString : originalSocketProtocolsArray) { if (!originalSocketProtocolString.contains("SSL")) { newSocketProtocolsArrayList.add(originalSocketProtocolString); } } String[] newSocketProtocolsArray = (String[]) newSocketProtocolsArrayList.toArray(); ((SSLSocket) socket).setEnabledProtocols(newSocketProtocolsArray); } return socket; } @Override public String[] getDefaultCipherSuites() { return sslSocketFactory.getDefaultCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return sslSocketFactory.getSupportedCipherSuites(); } @Override public Socket createSocket(String host, int port) throws IOException { Socket socket = sslSocketFactory.createSocket(host, port); return disableSSLv3(socket); } @Override public Socket createSocket(InetAddress host, int port) throws IOException { Socket socket = sslSocketFactory.createSocket(host, port); return disableSSLv3(socket); } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { Socket socket = sslSocketFactory.createSocket(address, port, localAddress, localPort); return disableSSLv3(socket); } @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { Socket socket = sslSocketFactory.createSocket(s, host, port, autoClose); return disableSSLv3(socket); } @Override public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException { Socket socket = sslSocketFactory.createSocket(host, port, localAddress, localPort); return disableSSLv3(socket); } }
Updated by Soren Stoutner about 8 years ago
- Status changed from New to 6
I have decided to close this as `Rejected`. The amount of effort needed to implement this is too large to justify the results. Those worried about man-in-the-middle attacks are advised to upgrade to newer versions of Android (Lollipop, Marshmallow, or Nougat).
Updated by Soren Stoutner about 8 years ago
I published a news item about this issue at https://www.stoutner.com/kitkat-security-problems/.
Updated by Soren Stoutner almost 6 years ago
- Priority changed from 2 to Next Release