17 May / / Security / Mobile

Using TLS on Android 4.4 with Xamarin

Android 4.4 does not by default support TLS versions greater than 1.0. This can be an issue if you are developing a mobile app that needs to call an API over SSL that uses a more recent version of TLS.

TLS 1.0 IS generally regarded as insecure and you should use a more recent version.

There are a number of options you have available. I will focus on two of them, updating the security provider and using a different HTTP Client.

Updating the security provider

With some devices it is not possible to update their Android version, but you can still update their Google Play Services, which in turn updates their security provider to allow the use of TLS > 1.0 on older devices.

MainActivity.cs

//Ensure to implement ProviderInstaller.IProviderInstallListener interface
  public class MainActivity : global::Xamarin.Forms.Platform.Android.FormsAppCompatActivity, ProviderInstaller.IProviderInstallListener
    {

        public void OnProviderInstallFailed(int errorCode, Intent recoveryIntent)
        {
			//Provider is not installed. Attempt to install it from the Google Play store.
            GoogleApiAvailability api = GoogleApiAvailability.Instance;
            if (api.IsUserResolvableError(errorCode))
            {
                api.ShowErrorDialogFragment(this, errorCode, 1);
            }
        }

		public void OnProviderInstalled()
        {

        }

        protected override void OnCreate(Bundle savedInstanceState)
        {
            TabLayoutResource = Resource.Layout.Tabbar;
            ToolbarResource = Resource.Layout.Toolbar;
            base.OnCreate(savedInstanceState);

            //Install provider if needed
            ProviderInstaller.InstallIfNeededAsync(ApplicationContext, this);
            
            global::Xamarin.Forms.Forms.Init(this, savedInstanceState);
            LoadApplication(new App());
        }
    }

General work flow (The example will probably need to be changed to work with the desired work-flow of your app.):

  • Attempt to use the updated security provider:
    • If the updated security provider is installed, then continue as normal.
    • If the updated security provider is not installed:
      • Can it be installed?
        • No - display error message / log error etc. This has only happened to me when I have not network connection.
        • Yes
          • Open a built in error dialog that states this app needs to update the Google Play Services.
          • If the device is not attached to a Google account, the user will be prompted to create an account, or use an existing one.
          • The user will be taken to the Google Play store and the Google Play Services will start to download and install.
          • Once installed the user can go back into the app and call the API.

Some gotchas:

  • Newer devices (Android >4.4) don’t need to update the security provider, but if we prompt it to, it will still update the services if required. We could test for the Android version before trying to update the service provider.
  • The whole process does add in additional app complexity, and the process of taking the user to the app store is a little cumbersome.

Different HTTP Client

Within the mobile app code, use a different HTTP Client. By default Xamarin apps use a HTTP Client that does not support TLS > 1.0 on older versions of Android.

To change the HTTP Client in there is a project option to use Xamarin’s own HTTP Client:

  • Android Project -> Properties -> Android Options-> Advanced -> HttpClient implementation = Managed
  • Also make sure SSL/TLS implementation is set to ‘Default (Native TLS 1.2+)

Other options

There are some other options, though none of them are ideal and should be carefully thought through before using them:
  • Use version 1.0 of TLS on our APIs. Some Cloud Provider (e.g. Azure and CloudflareP allow us to use either version 1.0, 1.1 or 1.2 of TLS.
    • Pros:
      • Quick to implement
    • Cons
      • Insecure
      • Hosting companies may remove support for version 1.0, so our APIs would not be able to support it.
  • Use version 1.0 of TLS on our APIs, but encrypt/decrypt the data before we send/receive it
    • Pros:
      • More secure than just using TLS 1.0
    • Cons
      • Additional development work on both the API and mobile app
      • Only the data will have additional encryption. The message structure, headers etc will still only be use TLS 1.0
  • Stop supporting Android devices <=4.4
    • Pros
      • Wouldn’t require any additional development work
    • Cons
      • Would limit the devices that apps can work on.
  • Update the mobile device’s OS.
    • Pros
      • On devices that support this, it is a straight forward solution. With in the app code we can check for a minimum version.
    • Cons
      • Many of the devices we use do not support updating the OS version.

Categories Security Mobile

Tags

Alex Orpwood Written by:

Software developing and architecting for 20 years. Satellite monitoring by day, writing my own app by night. More about me