https://bugs.kde.org/show_bug.cgi?id=400883
Bug ID: 400883
Summary: Support TLS 1.2 in Android application
Product: kdeconnect
Version: unspecified
Platform: Android
OS: Android 7.x
Status: REPORTED
Severity: normal
Priority: NOR
Component: android-application
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
SUMMARY
kdeconnect android app should support TLS 1.2 in order to provide good/better
security.
Because this is a remote control application, I would consider this a security
sensitive application, and expect it to use relatively strong encryption.
TLS 1.0 and 1.1 are being actively deprecated for credit card processing, and
by all major browsers. These older TLS versions includes weaker cipher, and
SHA1 which make it potentially vulnerable to downgrade attacks.
https://redmondmag.com/articles/2018/10/15/browsers-drop-support-for-tls-1.aspx
Android 4.1 added TLS 1.2 support back in 2012.
So this imply dropping for Android 4.0, which current markshare is 0.3%
https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/
STEPS TO REPRODUCE
1. Connect a phone using kdeconnect for Android, to a linux computer using the
GSConnect gnome-shell extension
2. Capture traffic using Wireshark
3. Verify TLS version
OBSERVED RESULT
TLSv1.0
EXPECTED RESULT
TLSv1.2 or TLSv1.3
SOFTWARE/OS VERSIONS
Android: 7.1
Linux: Debian 9
gnome-shell 3.30.1
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
