Official Android library for CT

[Alvin Dizon]

Is there going to be an official solution for CT on Android? https://github.com/appmattus/certificatetransparency seems to be the de-facto library to use now but is dependent on one developer.  iOS seems to have it enabled since iOS 12.

[Roger Ng]

Hi Alvin,

We're actively working on a solution, and we'll have more details to share soon. Stay tuned.

Cheers,
Roger

[Alvin Dizon]

Hi Roger,

Thanks, this is great news!

--
You received this message because you are subscribed to a topic in the Google Groups "certificate-transparency" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/certificate-transparency/ofE05kCAtIk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/459721ab-29ba-4e33-baf2-055182eb1525n%40googlegroups.com.

[Matthew Dolan]

Hi Roger,

Is there any more information on this?

I saw that an entry was added to the Network Security Config, https://developer.android.com/privacy-and-security/security-config#certificateTransparency, however, as far as I could see, when looking through AOSP the flag didn't seem to actually be used anywhere!

Indeed writing a quick demo app that hits example.com and no-sct.badssl.com implies the flag does nothing on API 35 and Baklava.

The documentation is also somewhat limited; while the code in network security config looks to be added in API 35, will there be a minimum supported API or is the functionality going to be back-ported to older APIs? I note that as far as I was usually aware network security config has typically not been back ported though. Useful to have a rough idea of what the remaining lifespan is of my library and how much time/effort I should continue to put into it.

Anyway, I'd gladly deprecate my library once the official support in Android is released. While I love and believe in open source and try my best to support my library, it is hard to find the time with too many other commitments and certainly hard to justify when, like most open source, the financials don't line up.

Matt

[Roger Ng]

Hi Matt,

Good catch on the Network Security Config changes.

CT enforcement will initially only be available in Android Baklava and up. I will let Bram from Android provide further details as they become available.

Thank you very much for your continued support and contribution to the CT ecosystem.

Cheers,

Roger

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/certificate-transparency/7497d684-21a3-4f43-8385-9b4249479cbdn%40googlegroups.com.

[Bram Bonné]

Hey Matt,

Thanks for reaching out, and thanks for all of your work on the library! We have been building support for Certificate Transparency into the platform, and are rolling it out as part of Android 16 Beta 2, which is being released today :) Apps can opt in to having Certificate Transparency enforced for all their connections, or for specific domains.

There's some more documentation available at https://developer.android.com/privacy-and-security/security-config#certificateTransparencySummary, but let us know if you have any feedback or if anything is unclear.

Kind regards,
Bram (on behalf of the Android security team)

[Andrew Ayer]

On Fri, 14 Feb 2025 09:58:19 +0100
'Bram Bonné' via certificate-transparency

<certificate-...@googlegroups.com> wrote:

> There's some more documentation available at
> https://developer.android.com/privacy-and-security/security-config#certificateTransparencySummary,
> but let us know if you have any feedback or if anything is unclear.

Hi Bram,

What's the policy for CT compliance? (For example, https://googlechrome.github.io/CertificateTransparency/ct_policy.html or https://support.apple.com/en-us/103214)

The documentation cites RFC 9162; I assume this is a mistake and Android implements RFC 6962?

Regards,
Andrew

[Disha Satija]

Excellent News Bram !! Could you confirm if this will also work for countries like china which may have firewall enforced ?
Do you have an expected date for stable release - will help us to plan our work !

Regards,
Disha

[Matthew Dolan]

RFC 9162 supersedes RFC 6962 so I thought the number seemed right to me.

Sent from my iPhone

> On 14 Feb 2025, at 14:52, Andrew Ayer <ag...@andrewayer.name> wrote:
>
> On Fri, 14 Feb 2025 09:58:19 +0100

> --
> You received this message because you are subscribed to a topic in the Google Groups "certificate-transparency" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/certificate-transparency/ofE05kCAtIk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to certificate-transp...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/certificate-transparency/20250214074737.31539bdc8efabf17afa64844%40andrewayer.name.

[Roger Ng]

Hi Matt,

The CT ecosystem continues to use the RFC 6962 specification, and has not adopted RFC 9162.

Cheers,

Roger

[Bram Bonné]

Thank you all for the feedback and questions.

On Friday, February 14, 2025 at 3:52:14 PM UTC+1 Andrew Ayer wrote:

On Fri, 14 Feb 2025 09:58:19 +0100
'Bram Bonné' via certificate-transparency
<certificate-...@googlegroups.com> wrote:

> There's some more documentation available at
> https://developer.android.com/privacy-and-security/security-config#certificateTransparencySummary,
> but let us know if you have any feedback or if anything is unclear.

Hi Bram,

What's the policy for CT compliance? (For example, https://googlechrome.github.io/CertificateTransparency/ct_policy.html or https://support.apple.com/en-us/103214)

We're currently following Chrome's policy for compliance, and intend to publish authoritative documentation before the full Android 16 release. We don't expect to diverge from Chrome's policy.

The log list is available on https://www.gstatic.com/android/certificate_transparency/log_list.json.

The documentation cites RFC 9162; I assume this is a mistake and Android implements RFC 6962?

Thanks for calling that out -- we're fixing it to refer to the correct RFC (which should indeed have been RFC 6962).

 

Regards,
Andrew

[Bram Bonné]

On Friday, February 14, 2025 at 10:50:44 PM UTC+1 Disha Satija wrote:

Excellent News Bram !! Could you confirm if this will also work for countries like china which may have firewall enforced ?

Updating the log list requires a connection to gstatic.com at least once every 70 days. If the device is unable to acquire a log list less than 70 days old, the implementation will fail-open in accordance with the current policy.

 

Do you have an expected date for stable release - will help us to plan our work !

This will officially launch with Android 16, with enforcement depending on individual app opt-in.

[Disha Satija]

Hi Bram, 
Thanks for the response . Could you also share your insights on below:

- How CT failures will be reported to the app?

-Will it be possible to enable or disable CT enforcement via code at runtime(useful for toggle based implementation)
-Will this solution for CT will be back ported to older android releases in future?
-What would be the best way to test out this solution?  
-is it possible to log when the app fail-opens etc ?

Looking forward to your response,
Thanks 
Disha

[Bram Bonné]

Hey Disha,

On Wed, Feb 19, 2025 at 10:50 PM Disha Satija <dishas...@gmail.com> wrote:

Hi Bram, 
Thanks for the response . Could you also share your insights on below:

- How CT failures will be reported to the app?

 

The app will get a SSL handshake exception, with the message field containing information about the CT policy violation. 

-Will it be possible to enable or disable CT enforcement via code at runtime(useful for toggle based implementation)

Apps are expected to statically configure per-domain CT requirements in their network security configuration file.

 

-Will this solution for CT will be back ported to older android releases in future?

That would require moving some parts of the platform out into mainline modules, allowing them to be pushed to older platform releases. We currently don't have any timelines to share for this.

 

-What would be the best way to test out this solution?  

Install an Android 16 beta 2 build on your device (or on an emulator), and opt-in your app through the instructions at https://developer.android.com/privacy-and-security/security-config#certificateTransparency.

 

-is it possible to log when the app fail-opens etc ?

There is currently no way for apps to query the status of the device's log list. We welcome feedback on whether such an API would be useful through our bug tracker.

Kind regards,

Bram

 

To view this discussion visit https://groups.google.com/d/msgid/certificate-transparency/c48fbcfa-bec9-4516-9d40-9d67676a08e6n%40googlegroups.com.