TLS for Android

For online merchants the new PCI standards may effect the usability of their shopping carts on Android phones. Earlier this year two attacks related to PCI compliance where discovered, they were Heartbleed and POODLE. While it had been discovered in the past that SSL and early TLS encryption were vulnerable to attacks, they were still allowed to be used with a downgrade – dance, if the highest level handshake with TLS 1.2 failed, the handshake would downgrade until the connection could be made securely. While most communication begins with TLS 1.2, it could end with a secure connection with TLS 1.0, which allows user the ability to purchase items through their Android devices. Now that the new vulnerabilities have come to light the PCI standards have to be changed to remove the use of SSL and early stages of TLS such as 1.0 and 1.2 all together. This has now caused the concerns for Android phones that do not use TLS 1.2.

Android devices typically updated their software twice a year, where as PCI compliance only updates once every three years. Up until this year TLS updates have not affected the android updates, because TLS was able to do a “backwards-dance” to what ever version of TLS worked on each device. This year however, an attacked was found called POODLE( Padding Oracle On Downgrading Legacy Encryption) which attacks the flaw within the SSL protocol itself. Essentially if an attacker can prompt a secure connections failure the software will default back to SSL 3.0 which opens up new vulnerabilities that the attacker can use. For example the individual who was able to force the failure can now attempt a new attack known as man-in-the-middle attack by taking partial control of the user side of SSL and still have visibility of the ciphertext. This attack has forced companies to disable SSL 3.0/ TLS 1.0 preventing a  “downwards dance” connection from occurring. This causes a problem for Android devices because Android 4.3 (Jelly Bean) does not support TLS 1.2, which means 31.8%(roughly 445 million) of android users that use jelly bean will not be able to use mobile commerce sites in order to purchase merchandise. Although the 39.2%( roughly 548 million) of Android 4.4 (KitKat) user have the ability to use TLS 1.2 it is not compatible by default the ability to use TLS 1.2 can be turned on. This may cause an issue for users that don’t know how to change the TLS settings on their devices. The latest version of Android known as Lollipop is only used by 21%(almost 294 million)  of individuals which is a small amount of people that do shop online over mobile.

Due to the recent attacks found companies have until June 30, 2016 to have a plan in place to switch away from TLS 1.0 and 1.1 and move to the new standard TLS 1.2. This means that after June 30, 2016 phones that are not compatible with TLS 1.2 will not be able make out going calls to companies in order to purchase merchandise. HostedPCI is working on a solution for companies in order to have the smallest amount of impact on mobile users. Stay tuned for further information on our TLS solution.