Google has shared some information on the adoption of TLS by Android apps, and significant progress seems to have been made over the last two years.
According to Google, 80% of Android apps now aim to encode traffic and, for applications developed for the most recent versions of the operating system, the percentage is higher. The company says 90 percent of Android apps for Android 9 and higher default encryption.
Google required all devices, including new apps released on Google Play and updates to existing applications, to hit Android 9 or higher, beginning on November 1, 2019. The company anticipates that this will have a positive impact too and will continue to increase TLS adoption rates.
The Network Security Configuration launched by Google in 2016 allows developers to customize the network security policy for their application via a configuration file. In the case of Android apps 9 or 10, this rule is automatically designed to avoid unencrypted traffic on every domain.
In addition, Google warns developers about unencrypted traffic or accepts user-specific certificates via the Android Studio development environment and a Play Console pre-launch report. Both of these practices allow data associated with the application to be intercepted or modified.
Developers may, where appropriate, attach exceptions to the security policy to allow unencrypted traffic and accept user-specified certificates, though Google has advised them to take into account safety and privacy implications.