The Electronic Frontier Foundation is calling for encryption standardization in all network requests from all mobile apps.
So far we have seen strides for at least keeping messages private on mobile devices with end-to-end encrypted apps like Signal, WhatsApp, and iMessage. Encryption on the web has been widely adopted. We even declared in 2021 that “HTTPS Is Actually Everywhere.” Most web traffic is encrypted and for a website to have a reputable presence with browsers, they have to meet certain requirements that major browsers enforce today. Mechanisms like certificate transparency, Cross-origin resource sharing (CORS) rules, and enforcing HTTPS help prevent malicious activity happening to users every day.
Yet, mobile has always been a different and ever expanding context. You access the internet on mobile devices through more than just the web browser. Mobile applications have more room to spawn network requests in the app without the user ever knowing where and when a request was sent. There is no “URL bar” to see the network request URL for the user to see and check. In some cases, apps have been known to “roll their own” cryptographic processes outside of non-standard encryption practices.
Despite recent attempts to address this in Android, there hasn’t been sufficient process.
Android has made some strides to protect users’ traffic in apps, like allowing you to set private DNS. Yet, Android app developers can still set a flag to use clear text/unencrypted requests. Android owners should be able to block app requests engaging in this practice. While security settings can be difficult for users to set themselves due to lack of understanding, it would be a valuable setting to provide. Especially since users are currently being bombarded on their devices to turn on features they didn’t even ask for or want. This flag can’t possibly capture all clear text traffic due to the amount of network access “below” HTTPS in the network stack apps can control. However, it would be a good first step for a lot of apps that still use HTTP/unencrypted requests.