Core Apps » ChatSecure:Android

Packet analysis from test server starting with 'Client Hello' performed with latest ChatSecure APK and contrasted to functional baseline found in PSI desktop. Issue identified within ChatSecure as failure at the protocol level. TLSv1 (SSL 3.1) is highest protocol offered. ChatSecure missing required TLS Protocol 1.2 (RFC5246 - https://www.ietf.org/rfc/rfc5246.txt) as released August 2008.

NOTES:
TLSv1.0 is not an completely secure protocol with which to encrypt sensitive data. Adoption of TLSv1.2 strongly recommended. Special concern should be had should communications involve payment processing, healthcare information, or other sensitive data.

REFERENCE:
NIST Special Publication 800-52 Revision 1: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
Published: April 28, 2014
Path: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
Page Vi - Footnote - ..."TLS versions 1.1 and 1.2 are approved for the protection of Federal information, when properly configured."
Page 7 - "..It also recommends that agencies develop migration plans to TLS 1.2, configured using Approved schemes and algorithms, by January 1, 2015."

Summary:
Issue able to be resolved by ChatSecure adopting RFC5246

Note: ChatSecureAndroid source commits state that TLSv1.1 and TLSv1.2 support was added with 14.0.6 / 2014-11-04.

Update: Validated TLS1.2 connectivity with Android 6.0.1.

Remains at TLS1.0 with Android 4.4.4

Issue appears to be Android 4.4.x (and under) code related, whereas TLS1.1 and TLS1.2 is not enabled by default in Android.

Android major platform release {KITKAT_Watch (API 20) / LOLLIPOP (API 21)} re-enabled by default TLSv1.1 and TLSv1.2

Question: Is there any solution for SecureChat to operating TLSv1.2 on an Android with API Level less than 20?

-------
Android Code adjustment to re-enable TLSv1.1/TLSv1.2: https://code.google.com/p/android/issues/detail?id=61085#c6
SSL Socket - Android API - https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
API LEVELS - https://developer.android.com/guide/topics/manifest/uses-sdk-element.html

Verified TLSv1.1 & TLS1.2 available through SSLLabs browser test on Android 4.4.4 (Firefox).

While not a programmer, pertinent discussion on this specific subject was located that suggests the following:

In order for the application to leverage TLSv1.1 & TLSv1.2 between API Level 16 through 20, remediation may be conducted through implementation of a custom SSLSocketFactory that will proxy all calls to a default SSLSocketFactory implementation. Overriding all createSocket methods and callsetEnabledProtocols on the returned SSLSocket is necessary in order to enable this security model.

Value toward offering this approach towards enhancing security through ChatSecure is identified through the common Android dashboard. It is noted API 16-20 occupies 45.9% of the Android market as of 8/1/2016. Thus, development of this recommended change (or function providing similar outcome) is seen as offering enhancement to a strong community and would thus provide a much higher level of transport level security not otherwise available to that market.

Thank you for your time in reviewing this issue.

Sincerely,

Arch Beard

REFERENCE:
https://developer.android.com/about/dashboards/index.html#Platform
https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/