Also, I see 3DES, MD5 or static key ECDH is are removed from the cipher suite in Android 5.0. However if a developer has customised the client cipher suite it would be good throw a message if these are negotiated in the Server Hello request.
Hopefully throwing messages will prompt a developer to update the client and server cipher suites.
(I believe it's possible for a developer to customise the client-side cipher suite?)
Suggested implementations are:
Throw a [WARNING] message if a cipher containing RC4 is negotiated (in Server Hello request).
Throw a [ERROR] message if a cipher with 3DES, MD5 or static key ECDH is negotiated.
I see Ngtf is checking the cipher suite for insecure ciphers (in Client Hello request).
It would be good to check the agreed upon cipher (in the Server Hello request) if it is secure. For example I see RC4 is still supported in Android 5.0, but it's probably not the preferred option if a cipher including this algorithm is negotiated. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
Also, I see 3DES, MD5 or static key ECDH is are removed from the cipher suite in Android 5.0. However if a developer has customised the client cipher suite it would be good throw a message if these are negotiated in the Server Hello request. Hopefully throwing messages will prompt a developer to update the client and server cipher suites. (I believe it's possible for a developer to customise the client-side cipher suite?)
Suggested implementations are:
I hope this makes sense.