I would be grateful if any real experts in Android security would comment on what I have written here. I know a little about all this, but I freely admit that my knowledge is rather superficial and I am more than willing to be corrected if I have got any of this wrong.

TL;DR: An important security protocol that is available on native Android 4.4.4 is not available under Alien Dalvik. This means that services that depend on using Android apps may not work on Alien Dalvik + SFOS, even though they do work on mainstream Android installations of the corresponding version. Android apps that work now on SFOS may stop working without warning if the services that they depend on drop support for older security protocols.

I started looking into why I could not see pictures or videos that other people sent me when using the Android Wire messenger app on SFOS, when I could see the media in the app when using it on Android. I also observed that profile pictures/avatar images and previews of shared web links are also unavailable on SFOS. Someone else posted about the same problem on TJC here: https://together.jolla.com/question/...e-no-pictures/

This GitHub issue https://github.com/wireapp/wire-android/issues/518 suggests that the problem happens when Google Play Services are not available:

* The Android Wire app tries to use GCM (Google Cloud Messaging) to retrieve shared media such as pictures, video and previews of web pages. This fails if Google Play Services are not available.
* The Wire app then falls back on a WebSocket protocol to try to retrieve the media
* The service provided by Wire requires a handshake using TLS v1.2 for the WebSocket protocol to work
* Under Android 4.4.4, TLS v1.2 is provided by Google Play Services, so the handshake fails on any Android 4.4 platform where Google Play Services is not available, including Alien Dalvik.
* Wire are not prepared to support TLS of a lower version than 1.2 on their service: that would be an unacceptable weakening of their security.

I have experimented a bit with Riot.im, and have found that with the Android Riot.im app on the matrix.org instance, images can be exchanged successfully. In principle, I could switch to this service, and try to persuade everyone that I currently communicate with on Wire to follow me to a Matrix-based service. I do not see this as a solution though: the administrators of matrix.org (or other Matrix instances) could drop support for older versions of TLS and I would then be in the same situation as I am now with Wire.

Some Android apps clearly do support TLS v1.2, for example pointing Android Firefox on SFOS to https://www.howsmyssl.com/ shows that TLS v1.2 is supported. This is presumably because the Android build of Firefox includes its own TLS library, and doesn’t rely on Google Play Services to provide it. However, it is not reasonable to expect every Android app to do this, if Google Play Services on Android 4.4.4 provides the latest version of TLS.

Is there any possibility that support for TLS v1.2 in Alien Dalvik on SFOS could be somehow be provided? Maybe in miroG, or by some kind of pass-through to SFOS itself? If this is doesn’t happen, support for Android apps in SFOS that require access to secure services will gradually degrade as service providers drop support for older versions of TLS. I suspect that Wire is not the only app affected by this. Porting security patches from Android 4.4.x to Alien Dalvik won’t make any difference to this issue.

One commenter on the TJC thread linked to above does see media load in the Wire app, and has speculated that this is because they have installed the NextCloud app and synchronise Wire media with their NextCloud storage. This is unconfirmed so far, but if it is true then it suggests that it is possible to provide support for TLS v1.2 without having to get into the internals of Alien Dalvik.

The lack of support for up-to-date security protocols in Alien Dalvik (as compared to SFOS itself) has also been noted on TJC here: https://together.jolla.com/question/...ersations-app/

As I said at the start, I would be grateful for any comments on this from anyone with real expertise in this area.