Lync mobile update for Android – More than meets the eye

Twitter and blogs have been buzzing about the update for the Lync mobile client for android. It was released on the 12th of May and demoed on the same day by Modality System’s Justin Morris (@justimorris) at this year’s TechEd NA.

The update includes the following features:
– Tablet support
– Add participants into an ongoing conversation (IM or Lync Meeting)
– Start an ad-hoc group conversation
– Bug fixes

These are great changes to the android client, bringing its functionality closer to its Windows Phone and iOS siblings. You have most likely read this already since it has been all over the Internet. So why am I writing yet another blog post about this? Well, the simple answer is that this update contains more than meets the eye. Specifically there are two changes that I find particularly important.

– Security improvements through tightened SSL validation.
– Authentication protocol changed to NTLM

While these features might not sound as shiny and extravagant as the previous list they are very important from a security perspective.

Any change to strengthen the validation of certificates is a good change. The tightened SSL validation means that the client must be able to validate the certificate and its chain. A valid certificate must therefore meet the following criteria’s:

• Certificates cannot be expired.
• The certificate chain must be validated, and certificates must meet one of the following requirements:
     o Certificates must be trusted (that is, signed by a trusted authority).
     o Certificates (and chain) have to be installed on the device.
• The DNS Name certificate property has to match the URL.

The second feature much appreciated. I spent the entire TechEd EU 2013 asking presenters and Microsoft employees why the Android client was sending its credentials in clear text (no, Base64 is not encrypted, it’s encoded) while the other mobile clients used NTLM. I never got an answer. But with this update the authentication protocol for the Android client has changed to NTLM which means that no more credentials are being sent in clear text.

This means I must update the table from my first blog post about the Lync authentication process to reflect this.

Client Authentication protocol
PC-client (internal network) Kerberos
PC-client (external network) NTLM
Windows Phone NTLM
Android NTLM (Versions prior to 5.4 use SOAP)
Lync Web App (domain user) SOAP
Lync Web App (guest) SOAP (Anonymous)

It should be noted that the Android client still doesn’t request a certificate like Windows Phone, iOS and the PC client does. Perhaps in the next update!

As always, thank your for reading. I hope you enjoyed the read.