Hi Dan, Thank you! I wrote simple app that connects to HTTPS web site and for the same web site I got following results:
Cipher Android 2.1 : DHE-RSA-AES256-SHA Cipher Java 1.6: SSL_RSA_WITH_RC4_128_MD5 And list of available/enabled Ciphers for Android is: [DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3- SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128- SHA, DHE-DSS-AES128-SHA, AES128-SHA, RC2-CBC-MD5, RC4-SHA, RC4-MD5, RC4-MD5, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DES-CBC-SHA, DES- CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-DES-CBC- SHA, EXP-RC2-CBC-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-RC4-MD5] Some of them are weaker but I guess that if I have server that has support for AES256-SHA or some strong Cipher it will use stronger and will negotiate weaker only if my phone don't have stronger Ciphers... On Jun 25, 7:10 pm, Dan Hein <[email protected]> wrote: > You can test the best encryption level established between yourself and a > website by pointing your browser (or app code) at > > https://www.fortify.net/sslcheck.html > > Note that different websites may negotiate weaker encryption. Your app > could check a whitelist for acceptable/approved ciphers (determined by you) > using HttpsURLConnection::getCipherSuite(). > > > > On Thu, Jun 24, 2010 at 5:19 PM, Amir Alagic <[email protected]> wrote: > > Hi, > > > I have few questions about HTTPS security and I really hope that > > someone can give me answers. I have heard that when we use HTTPS > > (HttpsURLConnection) in our Android applications that it is possible > > that our app can send data that is not protected or protected with > > very low encryption with SSL2 protocol without end user to be aware > > of. > > > Is this true? Is there even support for SSL2 in Android ? Or is HTTPS > > on Android safe enough as it is?
