BC Classic (Android and Windows)

cryptoman

Hello,

I am using BC Classic for Windows and Android with the Telekom Cloud.
How secure is the transmission of the user login of the Telekom account in Android via WebDAV? Hopefully, this is not transmitted in plain-text.

Best regards,
Cryptoman

Gustav

Hello cryptoman,

the Android app is using https for the connection to the Telekom Cloud.

In the Windows version you have to add the Telekom Cloud by yourself and as I can see in their documentation they are using https too, so it's a save transmission.

Greetings
Gustav

cryptoman

Thank you for your quick reply, Gustav. :-)

Which cipher is used for the Android app and SSL?
DHE-RSA-AES256-SHA or something else?

Robert

Hi,

We're using the default Apache HTTP Client library of Android to execute the HTTPS requests - currently without any modification to the list of used cipher suites. So which cipher suite is used depends on the Android version you are using. And of course it also depends on the server because the server is actually choosing which cipher suite to use.

The "Handshake Simulation" of Qualys SSL Labs gives you a good impression which cipher suites will be used in which Android version. Here's Telekom Cloud's WebDAV (which is actually pretty bad):
https://www.ssllabs.com/ssltest/analyze.html?d=webdav.mediencenter.t-online.de

It seems, that their WebDAV server is always choosing the weak RC4-SHA cipher suite (TLS_RSA_WITH_RC4_128_SHA) even if the client would prefer AES256-SHA (as the older - or latest - Android versions do).

We are aware of the fact that the default list of cipher suites in Android has been severely downgraded (from AES256-SHA to RC4-MD5) but I have to admit that we have not yet found the time to implement our own list of preferred cipher suites. (Mainly because in the end, only the server determines which cipher is actually used). More information can be found here:
http://op-co.de/blog/posts/android_ssl_downgrade/

Best regards,
Robert