KitKat and TLSv1.2

TLSv1.2 came out in 2008 but Android didn’t get support for it until Android 5 in 2014. Previous releases including Android 4.4 KitKat support up to TLSv1.1 by default.

KitKat’s old TLSv1.1 isn’t secure enough and so its retirement has been planned for a long time. RFC 7525 said this in 2015:

“Implementations MUST support TLS 1.2 and MUST prefer to negotiate TLS version 1.2 over earlier versions of TLS.

Rationale: Several stronger cipher suites are available only with TLS 1.2. In fact, the cipher suites recommended by this document are only available in TLS 1.2.”

Browsers are shutting off TLSv1.1 right now.

SSL Labs started limiting grades to ‘B’ for HTTPS sites that still offer TLSv1.1. Early this year Chrome, Safari, Firefox, and Edge will require TLSv1.2 or better.

Keep KitKat?

If you maintain an app that runs on KitKat, you have options:

  • Continue to use TLSv1.1. Webservers can support many versions of TLS simultaneously and so you can offer TLSv1.1 to KitKat users and TLSv1.2 to everyone else.

  • Hook up Google Play Services’ ProviderInstaller. This lets you run TLSv1.2 on KitKat devices that have Play Services set up. See Ankush Gupta’s guide for instructions.

  • Embed Conscrypt. You can include a copy of Conscrypt, a library from Google that integrates BoringSSL with Java. This adds about 3 MiB to your APK and you’ll need to remember to keep Conscrypt itself up-to-date. This StackOverflow answer describes what to do.

Code that targets KitKat is limited to OkHttp 3.12.x. Newer releases require Android 5 or newer!

Kill KitKat!

Android 5 came out in 2014. Devices like 2012’s Nexus 4 and 2013’s Galaxy S4 were updated to Android 5.

You could just stop shipping app updates to these dinosaurs and that will be okay. Just remember to keep TLSv1.1 enabled on your web servers.