Bug 400883

Summary: Support TLS 1.2 in Android application
Product: [Applications] kdeconnect Reporter: guillaume+kde.org
Component: android-applicationAssignee: Albert Vaca Cintora <albertvaka>
Status: RESOLVED FIXED    
Severity: normal CC: nicolas.fella
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Android   
OS: Android 7.x   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description guillaume+kde.org 2018-11-09 19:44:27 UTC 
SUMMARY
kdeconnect android app should support TLS 1.2 in order to provide good/better security. 
Because this is a remote control application, I would consider this a security sensitive application, and expect it to use relatively strong encryption. 

TLS 1.0 and 1.1 are being actively deprecated for credit card processing, and by all major browsers. These older TLS versions includes weaker cipher, and SHA1 which make it potentially vulnerable to downgrade attacks. 
https://redmondmag.com/articles/2018/10/15/browsers-drop-support-for-tls-1.aspx

Android 4.1 added TLS 1.2 support back in 2012. 
So this imply dropping for Android 4.0, which current markshare is 0.3% 
https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/


STEPS TO REPRODUCE
1. Connect a phone using kdeconnect for Android, to a linux computer using the GSConnect gnome-shell extension
2. Capture traffic using Wireshark
3. Verify TLS version

OBSERVED RESULT
TLSv1.0

EXPECTED RESULT
TLSv1.2 or TLSv1.3

SOFTWARE/OS VERSIONS
Android: 7.1
Linux: Debian 9
gnome-shell 3.30.1


ADDITIONAL INFORMATION
Comment 1 guillaume+kde.org 2019-02-10 13:14:47 UTC 
Hi, 

Could you please confirm which version includes the fix? 

I checked updates using F-Droid to ensure I was using the latest available ie KDE Connect 10.0.1, however it appears the issue persist. 

Using Wireshark again I see the Gnome Shell extension initiates the connections with a  Client Hello with TLS version 1.2, however the phone replies with the Server Hello with TLS version 1.0.

This suggest my computers does attempt a TLS connection with version 1.2, but the application is only able to reply with version 1.0
Comment 2 Nicolas Fella 2019-02-10 14:28:13 UTC 
The fix is currently in master and not released yet