TLS for Android – News Article
For online merchants, the new PCI standards may affect the usability of their shopping carts on Android phones. Earlier this year two attacks related to PCI compliance were discovered, they were Heartbleed and POODLE. While it had been discovered in the past that SSL and early TLS encryption were vulnerable to attacks, they were still allowed to be used with a downgrade – dance, if the highest level handshake with TLS 1.2 failed, the handshake would downgrade until the connection could be made securely. While most communication begins with TLS 1.2, it could end with a secure connection with TLS 1.0, which allows users the ability to purchase items through their Android devices. Now that the new vulnerabilities have come to light the PCI standards have to be changed to remove the use of SSL and early stages of TLS such as 1.0 and 1.2 altogether. This has now caused concerns for Android phones that do not use TLS 1.2.
Android devices typically updated their software twice a year, whereas PCI compliance only updates once every three years. Up until this year, TLS updates have not affected the android updates, because TLS was able to do a “backward-dance” to whatever version of TLS worked on each device. This year, however, an attack was found called POODLE( Padding Oracle On Downgrading Legacy Encryption) which attacks the flaw within the SSL protocol itself. Essentially if an attacker can prompt a secure connections failure the software will default back to SSL 3.0 which opens up new vulnerabilities that the attacker can use. For example, the individual who was able to force the failure can now attempt a new attack known as a man-in-the-middle attack by taking partial control of the user side of SSL and still have visibility of the ciphertext. This attack has forced companies to disable SSL 3.0/ TLS 1.0 preventing a “downwards dance” connection from occurring. This causes a problem for Android devices because Android 4.3 (Jelly Bean) does not support TLS 1.2, which means 31.8%(roughly 445 million) of android users that use the jelly bean will not be able to use mobile commerce sites in order to purchase merchandise. Although 39.2%( roughly 548 million) of Android 4.4 (KitKat) users have the ability to use TLS 1.2 it is not compatible by default the ability to use TLS 1.2 can be turned on. This may cause an issue for users that don’t know how to change the TLS settings on their devices. The latest version of Android known as Lollipop is only used by 21%(almost 294 million) of individuals which is a small number of people that do shop online over mobile.
Due to the recent attacks found companies have until June 30, 2016, to have a plan in place to switch away from TLS 1.0 and 1.1 and move to the new standard TLS 1.2. This means that after June 30, 2016 phones that are not compatible with TLS 1.2 will not be able to make outgoing calls to companies in order to purchase merchandise. HostedPCI is working on a solution for companies in order to have the smallest amount of impact on mobile users. Stay tuned for further information on our TLS solution.