To improve security, insecure TLS version fallback has been removed from HttpsURLConnection
in Android O.
TLS version fallback is a compatibility workaround in the HTTPS stack to connect
to servers that do not implement TLS protocol version negotiation correctly. In
previous versions of Android, if the initial TLS handshake fails in a particular
way, HttpsURLConnection retries the handshake with newer TLS protocol versions
disabled. In Android O, it will no longer attempt those retries. Connections to
servers that correctly implement TLS protocol version negotiation are not
We are removing this workaround because it weakens TLS by disabling TLS protocol
version downgrade protections. The workaround is no longer needed, because fewer
than 0.01% of web servers relied on it as of late 2015.
Most apps will not be affected by this change. The easiest way to be sure is to
build and test your app with the Android O Developer
Preview. Your app’s HTTPS connections in Android O will not be affected if
If your app relies on TLS version fallback, its HTTPS connections are vulnerable
to downgrade attacks. To fix this, you should contact whoever operates the
server. If this is not possible right away, then as a workaround you could use a
third-party HTTP library that offers TLS version fallback. Be aware that using
this method weakens your app’s TLS security. To discover any compatibility
issues, please test your app against the Android O Developer Preview.