Secure those bits!

The Android security team has been hard at work building new tools to help developers protect user data in transit.  :)  Yesterday Alex posted about two great features that shipped last year in M:

https://security.googleblog.com/2016/04/protecting-against-unintentional.html

I'm particularly proud of the strategy I came up with to help detect any plaintext traffic leaving an app using a complex pile of iptables rules.  It's super easy to enable detection in your app with just one method call to this new StrictMode API:

https://developer.android.com/reference/android/os/StrictMode.VmPolicy.Builder.html#detectCleartextNetwork()

And here's the guts of where the iptables rules are generated using the powerful u32 module to do "shallow" packet inspection, both IPv4/v6 and TCP/UDP are supported:

https://android.googlesource.com/platform/system/netd/+/master/server/StrictController.cpp

Since it does bit banging to sniff out the explicit SSL 3.1 (TLS 1.0) signature, I don't recommend shipping it enabled in production, as that version number might increment in the future.
Photo
Shared publiclyView activity