Chandoo, my one concern might be if a so-called hybrid app used Chrome Custom Tabs:
https://developer.chrome.com/multidevice/android/customtabs since they behavior like Chrome more than WebView. -bri On Tue, Oct 9, 2018 at 3:49 AM C <mr.chan...@gmail.com> wrote: > Thank you Ryan for your quick response. > > @Brain - based on your response and Ryan’s can we conclude that Symantec > cert distrust will not impact Hybrid mobile apps at this point ? > > Or am I missing anything here ? > > Regards, > Chandoo > +91-93470-93470 > > On 9 Oct 2018, at 10:48, Ryan Sleevi <sle...@google.com> wrote: > > The handling of certificates issued by the Symantec Legacy PKI is > observing the same approach that was taken with the deprecation of SHA-1 > certificates. > > Chrome on Android follows the behaviour of Chrome mobile and desktop > platforms, and will be removing trust in the Symantec Legacy PKI. > WebView on Android follows the Android SDK expectations when possible, and > thus support for SHA-1 certificates and the Symantec Legacy PKI is/will-be > removed as the Android Platform and/or SDKs do so. > > For the latest details for the Chrome timeline, > https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki > is available. > Unittests exist within the Chromium repository to ensure that WebView on > Android matches those expectations, and are at > https://chromium.googlesource.com/chromium/src/+/df64c92360495ab98876e131fb0be3b800039a44/android_webview/browser/net/aw_url_request_context_getter_unittest.cc#100 > > On Tue, Oct 9, 2018 at 1:10 AM Brian Carlstrom <b...@google.com> wrote: > >> +chrome-root-authority-program who i'm told can comment on questions >> about Chrome & CAs. >> >> chrome-root-authority-program, can you help with this public question on >> how Symantec SSL cert distrust will affect Chrome on Android as well as >> WebView on Android. Are they using the platform CA list or one that is part >> of Chrome / WebView or? >> >> -bri >> >> On Mon, Oct 8, 2018 at 1:51 PM Chandoo <mr.chan...@gmail.com> wrote: >> >>> much appreciated >>> >>> On Tue, Oct 9, 2018 at 12:06 AM Brian Carlstrom <b...@google.com> wrote: >>> >>>> I'll try to find someone from Chrome who can speak to the WebView and >>>> Chrome on Android impact for hybrid scenarios. I'll note that we aren't >>>> planning a platform change to remove CAs on existing devices. >>>> >>>> -bri >>>> >>>> On Fri, Oct 5, 2018 at 2:17 PM Chandra Sekhar Walajapet < >>>> mr.chan...@gmail.com> wrote: >>>> >>>>> Hi Brian, with the chrome 70 release around the corner, do you know if >>>>> this will affect hybrid mobile applications using cordova/phonegap will be >>>>> affected on the same day ? >>>>> >>>>> On Monday, September 17, 2018 at 10:38:21 PM UTC+5:30, Brian Carlstrom >>>>> wrote: >>>>>> >>>>>> Nothing specific I'm aware of yet, even a timeline to have a >>>>>> timeline. I'll circle back with the team and see if I can get more >>>>>> details. >>>>>> >>>>>> -bri >>>>>> >>>>>> On Wed, Sep 12, 2018 at 12:32 PM Anu <ary...@gmail.com> wrote: >>>>>> >>>>>>> Hi Brian, >>>>>>> >>>>>>> Is there any date from when Android will distrust Symantec SSL >>>>>>> certificates? >>>>>>> >>>>>>> Anu >>>>>>> >>>>>>> On Thursday, 17 May 2018 08:20:35 UTC+3, Brian Carlstrom wrote: >>>>>>>> >>>>>>>> Android is planning to follow Chrome's lead and will stop trusting >>>>>>>> Symantec-issued certificates in a future update. Our current plans >>>>>>>> are not >>>>>>>> to do this in P, but you should see the removal in a future platform >>>>>>>> version. >>>>>>>> >>>>>>>> -bri >>>>>>>> >>>>>>>> On Thu, May 10, 2018 at 5:07 PM Campbell Moss <campbe...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Regarding the Symantec SSL cert distrust that was announced in >>>>>>>>> September 2017 ( >>>>>>>>> https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Clearly this affects the Chrome browser, but I was wondering what >>>>>>>>> impact if any there will be on Android native apps. Specifically: >>>>>>>>> >>>>>>>>> - HTTPS connections initiated by native Android apps >>>>>>>>> (HttpsURLConnection etc.) >>>>>>>>> - Webview components (android.webkit.WebView etc.) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I’ve looked through the documentation but can only find >>>>>>>>> information on the Chrome browser. Is there any information on if / >>>>>>>>> when >>>>>>>>> Android native HTTPS APIs will start rejecting Symantec-issued SSL >>>>>>>>> certs? >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "Android Security Discussions" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to >>>>>>>>> android-security-discuss+unsubscr...@googlegroups.com. >>>>>>>>> Visit this group at >>>>>>>>> https://groups.google.com/group/android-security-discuss. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Android Security Discussions" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to >>>>>>> android-security-discuss+unsubscr...@googlegroups.com. >>>>>>> Visit this group at >>>>>>> https://groups.google.com/group/android-security-discuss. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Android Security Discussions" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to android-security-discuss+unsubscr...@googlegroups.com. >>>>> Visit this group at >>>>> https://groups.google.com/group/android-security-discuss. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>> >>> -- >>> Regards, >>> Chandoo +44 7795090794 >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "chrome-root-authority-program" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to chrome-root-authority-program+unsubscr...@google.com. >> To post to this group, send email to >> chrome-root-authority-prog...@google.com. >> To view this discussion on the web visit >> https://groups.google.com/a/google.com/d/msgid/chrome-root-authority-program/CANUZ-edyX-LBQmFQOTjsxALLef%2BdZY%3Di8imPfkZNai7%2Bs%3D_T5Q%40mail.gmail.com >> <https://groups.google.com/a/google.com/d/msgid/chrome-root-authority-program/CANUZ-edyX-LBQmFQOTjsxALLef%2BdZY%3Di8imPfkZNai7%2Bs%3D_T5Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at https://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
