Feature #72: Disable SSLv3 for API 19 (KitKat) - Privacy Browser Android - Stoutner - Redmine

Actions

Copy link

Feature #72

closed

Disable SSLv3 for API 19 (KitKat)

Added by Soren Stoutner almost 9 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Next Release

Assignee:

Soren Stoutner

Start date:

11/14/2016

Due date:

% Done:

Estimated time:

Description

Charles Fisher <chasjfish@gmail.com> requested disabling SSLv3 on Android API 19 (KitKat), which is insecure and can lead to man-in-the middle attacks. It is already disabled systemwide on API > 19.

https://www.ssllabs.com/

It is possible to disable SSLv3 in API 19 using a custom SSLSocketFactory with `setEnabledProtocols()`.

https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/

https://developer.android.com/reference/javax/net/ssl/SSLSocketFactory.html

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

http://callistaenterprise.se/blogg/teknik/2011/11/24/android-tlsssl-mutual-authentication/

http://stackoverflow.com/questions/21274366/maintain-session-attributte-while-open-new-url-in-webview-android

Actions

Copy link

Updated by Soren Stoutner almost 9 years ago

We also want to disable the following ciphers:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

Actions

Copy link

Updated by Soren Stoutner almost 9 years ago

Subject changed from Disable SSLv3 for KitKat (API 19) to Disable SSLv3 for API 19 (KitKat)
Description updated (diff)

Actions

Copy link

Updated by Soren Stoutner almost 9 years ago

It turns out this is more difficult than expected. It would require creating a custom `SSLSocketFactory` and then applying it to a custom `DefaultHTTPClient`, which would then require using manual HTTP get, post, and head commands and manually processing all responses instead of using WebView's builtin commands. It would be a lot of work, prone to a lot of corner case bugs, for a solution to an old version of Android that will (eventually) go away.

Actions

Copy link

Updated by Soren Stoutner almost 9 years ago

An example custom `SSLSocketFactory` is below:

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

public class KitKatSocketFactory extends SSLSocketFactory {
    private SSLSocketFactory sslSocketFactory;

    public KitKatSocketFactory() throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext sslContext = SSLContext.getInstance("TLSv1.2");

        // The first `null` is the `KeyManager`, the second `null` is the `TrustManager`, and the third `null` is `SecureRandom`.
        sslContext.init(null, null, null);

        sslSocketFactory = sslContext.getSocketFactory();
    }

    private Socket disableSSLv3(Socket socket) {
        if ((socket != null) && (socket instanceof SSLSocket)) {
            String[] originalSocketProtocolsArray = ((SSLSocket) socket).getEnabledProtocols();
            ArrayList<String> newSocketProtocolsArrayList = new ArrayList<>();

            for (String originalSocketProtocolString : originalSocketProtocolsArray) {
                if (!originalSocketProtocolString.contains("SSL")) {
                    newSocketProtocolsArrayList.add(originalSocketProtocolString);
                }
            }

            String[] newSocketProtocolsArray = (String[]) newSocketProtocolsArrayList.toArray();

            ((SSLSocket) socket).setEnabledProtocols(newSocketProtocolsArray);
        }

        return socket;
    }

    @Override
    public String[] getDefaultCipherSuites() {
        return sslSocketFactory.getDefaultCipherSuites();
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return sslSocketFactory.getSupportedCipherSuites();
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException {
        Socket socket = sslSocketFactory.createSocket(host, port);

        return disableSSLv3(socket);
    }

    @Override
    public Socket createSocket(InetAddress host, int port) throws IOException {
        Socket socket = sslSocketFactory.createSocket(host, port);

        return disableSSLv3(socket);
    }

    @Override
    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
        Socket socket = sslSocketFactory.createSocket(address, port, localAddress, localPort);

        return disableSSLv3(socket);
    }

    @Override
    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
        Socket socket = sslSocketFactory.createSocket(s, host, port, autoClose);

        return disableSSLv3(socket);
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException {
        Socket socket = sslSocketFactory.createSocket(host, port, localAddress, localPort);

        return disableSSLv3(socket);
    }
}

Actions

Copy link

Updated by Soren Stoutner almost 9 years ago

Status changed from New to 6

I have decided to close this as `Rejected`. The amount of effort needed to implement this is too large to justify the results. Those worried about man-in-the-middle attacks are advised to upgrade to newer versions of Android (Lollipop, Marshmallow, or Nougat).

Actions

Copy link