NetCipher + Conscrypt for the best possible TLS


A new NetCipher library has recently been merged: netcipher-conscrypt. In the same vein as the other NetCipher libraries, netcipher-conscrypt wraps the Google Conscrypt library, which provides the latest TLS for any app that includes it. netcipher-conscrypt lets apps then disable old TLS versions like TLSv1.0 and TLSv1.1, as well as disable TLS Session Tickets. This is an alpha release because it only works on recent Android versions (8.1 or newer). The actual functionality works well, the hard part remains making sure that it is possible to inject netcipher-conscrypt as the TLS provider on all Android devices and versions. And the last missing piece is finding the right place in Conscrypt to configure proxying to support Tor or other privacy proxies

Before Conscrypt, Android apps relied on the Android OS itself to provide TLS. Normally, software uses the TLS provided by the operating system. Since too often Android devices do not get software updates, lots of users are stuck on old TLS versions. So Google split out the TLS stack from Android itself and made the Conscrypt library from it so it can be independently updated. Guardian Project has been taking this approach for almost 10 years, starting with SQLCipher-for-Android and IOCipher libraries. We are happy to see Google doing this themselves to give us more platform flexibility and security. We plan on using this as a platform for making ESNI (Encrypted SNI) available to all Android apps.

It is exciting to see ideas that we have been championing over the past decade to get mainstream adoption. TLS Session Tickets have always had serious security and privacy issues, Android 10 now provides an official API for disabling TLS Session Tickets: android.net.ssl.SSLSockets and android.net.ssl.SSLEngines. And the idea of per-app file encryption, which IOCipher provides, can now be largely provided by the built-in Android File-Based Encryption (FBE).