Google has announced that 80% of Android apps now encrypt all traffic by default, thanks to the increased uptake of transport layer security (TLS).
TLS is a cryptographic protocol used by all HTTPS domains to secure traffic over a network. Since the launch of Android 7 back in 2016, Google has allowed developers to configure their network security settings without changing the app’s code, enabling them to opt out of supporting cleartext traffic — that is, unencrypted traffic such as that supported by HTTP — which is susceptible to compromises.
With the launch of Android 9 (Pie) last year, however, Google enforced a new policy for all apps targeting that specific version of Android (API level 28) or higher so that they would default to HTTPS connections. Developers can still manually opt into cleartext for specific domains.
Google said that as a result of these changes, 90% of all apps targeting Android 9 or higher encrypt all traffic by default, though this figure drops to 80% when factoring in all Android apps.
Google enforces API level requirements for all Android apps each year. For 2019, all new apps have been required to support Android 9 and above, starting August 1. For updates to existing apps on Google Play, this same policy applied from November 1.
In effect, this means all apps that are being actively updated will be forced to block cleartext traffic by default unless the developer creates specific opt-outs. All other apps can still exist on Google Play unaffected. Many apps only receive updates on a sporadic basis, but when a developer decides it’s time to give their app a fresh coat of paint, they will at that point have to support only encrypted traffic by default. In other words, the 80% figure touted by Google today will likely only increase.