Georg Lukas has written a detailed post describing that Google is using what he calls ‘horribly broken’ RC4 and MD5 as the default cipher on all SSL connections of Android devices. Both are extremely insecure as they are both broken and can be easily compromised.
Android was not using weak cipher from the very beginning. In fact it was using a pretty strong DHE-RSA-AES256-SHA ciphers till Android version 2.2.1. But something happened during the release of Android 2.3.4 when RC4 and MD5 were elevated as the default cipher and they are still being used on latest Android versions.
What happened? Did NSA insurgents infiltrated Google?
Supposedly it’s neither NSA agents nor Google’s intention to weaken Android. Fear mongers or those who want to spread FUD against Android may twist this post, however it seems that Google didn’t do it on purpose to weaken Android security.
Lucas dived deeper in the code to understand what actually happened and found that the credit goes to Oracle. Google engineers were simply implementing what Java’s Reference Implementation (RI 6) were recommending.
Lucas further explained that “The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.”
It could be a horrible mistake by Google, and it really doesn’t matter why it was done. What matters is that it’s fixable and Google must fix it as soon as possible to keep its user safe from prying hands of NSA and keep those at bay who won’t miss any opportunity to attack Android.