fix: support TLS 1.3 on Android <= 9

[HashEngineering]

Issue being fixed or feature implemented

N/A

Related PR's and Dependencies

Screenshots / Videos

How Has This Been Tested?

• QA (Mobile Team)

Checklist:

• I have performed a self-review of my own code and added comments where necessary
• I have added or updated relevant unit/integration/functional/e2e tests

Summary by CodeRabbit

• New Features
 - Added TLS 1.3 support on older Android devices to enhance secure connectivity.
 - Introduced a new method of handling fee information, improving data access and management.

• Chores
 - Added new dependency for enhanced security capabilities.
 - Updated ProGuard configuration to retain necessary classes for the Conscrypt library.

[coderabbitai]

Walkthrough

The changes modify fee management and enhance TLS support. In the CrowdNode integration, the FeeInfo class now stores fee ladder data as a JSON string (rawValue) with a new lazy property that parses it into a list. The default fee ladder constant is updated accordingly. Additionally, the build configuration now includes the Conscrypt dependency to provide TLS 1.3 support on older Android devices. The WalletApplication is updated to conditionally insert the Conscrypt security provider for Android versions at or below API level 29.

Changes

File(s)	Change Summary
integrations/.../CrowdNodeFeeInfo.kt	Replaced the List<FeeLadder> property with a rawValue String containing JSON; added a lazy property to parse JSON into List<FeeLadder>; updated the default fee ladder constant.
wallet/build.gradle	Added dependency org.conscrypt:conscrypt-android:2.5.2 for TLS support.
wallet/.../WalletApplication.java	Introduced new imports and a conditional block in onCreate to insert the Conscrypt security provider for Android API ≤ 29.
wallet/proguard.cfg	Added keep rules for Conscrypt classes; removed numerous existing ProGuard rules affecting other classes and libraries.

Sequence Diagram(s)

sequenceDiagram
  participant C as Caller
  participant F as FeeInfo
  participant L as Lazy Property (value)
  participant G as Gson Parser

  C->>F: call getNormal()
  F->>L: Access lazy property value
  L->>G: Parse rawValue JSON string
  G-->>L: Return List<FeeLadder>
  L-->>F: Set lazy value
  F-->>C: Return fee data from getNormal()

Loading

sequenceDiagram
  participant A as WalletApplication
  participant S as Security Framework
  participant C as Conscrypt Provider

  A->>A: onCreate()
  A->>A: Check Android API version (≤29)
  alt API condition met
    A->>S: insertProviderAt(Conscrypt, 1)
  end

Loading

Suggested reviewers

• Syn-McJ

Poem

I'm a rabbit hopping through this code,
JSON fees now in a new abode.
Lazy values spring to life,
TLS guards without much strife.
I nibble bytes all day,
Celebrating changes in my playful way.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d061bf6 and 70ddaca.

📒 Files selected for processing (1)

• wallet/proguard.cfg (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build

🔇 Additional comments (2)

wallet/proguard.cfg (2)

227-234: LGTM: Conscrypt ProGuard rules are correctly configured.

The added ProGuard rules for Conscrypt are complete and correctly configured to support TLS 1.3 on Android <= 9. The rules ensure that:

1. All Conscrypt classes are preserved during ProGuard processing
2. Warnings related to Conscrypt classes are suppressed

---

1-226: Critical: Verify the removal of essential ProGuard rules.

The removal of numerous essential ProGuard rules could lead to runtime issues, crashes, or unexpected behavior. These rules were crucial for:

• Basic ProGuard configuration (optimization, verification, obfuscation)
• Android framework components (views, activities, fragments)
• Third-party libraries (Bitcoinj, Glide, Retrofit, OkHttp)
• Serialization and Parcelable implementations

Please verify that these rules are either:

1. No longer needed due to migration to a newer build system
2. Moved to another configuration file
3. Replaced by equivalent rules

Run this script to check if these rules exist in other ProGuard configuration files:

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between df57343 and 1a21a05.

📒 Files selected for processing (3)

• integrations/crowdnode/src/main/java/org/dash/wallet/integrations/crowdnode/model/CrowdNodeFeeInfo.kt (2 hunks)
• wallet/build.gradle (1 hunks)
• wallet/src/de/schildbach/wallet/WalletApplication.java (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: check
• GitHub Check: build

🔇 Additional comments (3)

wallet/build.gradle (1)

83-83: Verify the Conscrypt version for security vulnerabilities.

The current version 2.5.2 might not be the latest. Let's verify if there are any security advisories or newer versions available.

✅ Verification successful

🌐 Web query:

What is the latest version of org.conscrypt:conscrypt-android and are there any known security vulnerabilities in version 2.5.2?

💡 Result:

The latest version of `org.conscrypt:conscrypt-android` is **2.5.3**, as indicated by its Maven Central listing[1][8]. This artifact provides Android-specific cryptographic functionality through BoringSSL integration and is maintained by Google[1][4][5].

For **version 2.5.2**, there are no direct references to security vulnerabilities in the provided sources, though general risks should be considered:

1. **Historical vulnerabilities**:  
   - Older Conscrypt versions had critical flaws like CVE-2016-2461 (AAD mishandling allowing authentication spoofing)[2] and CVE-2016-0818 (certificate validation bypass)[7], but these predate v2.x.
   - Recent advisories (CERT-In CIVN-2025-0013) warn about Android component vulnerabilities including Conscrypt[3], though they don't specify versions.

2. **Upgrade recommendations**:  
   - Version 2.5.3 includes unspecified updates over 2.5.2[1][8].
   - Android Mainline updates since v14 allow faster security patches via APEX modules[5], reducing reliance on library versions.

Developers using Conscrypt should:
- Upgrade to v2.5.3 unless constrained by compatibility requirements
- Monitor Android Security Bulletins[3][7]
- Use `NetworkSecurityConfig` for certificate management[5]
- Validate native library loading[6][10]

No active exploits for v2.5.2 are documented in the sources, but following standard supply-chain security practices remains crucial given open source dependencies' prevalence[1][3].

Citations:

- 1: https://central.sonatype.com/artifact/org.conscrypt/conscrypt-android
- 2: https://www.cvedetails.com/cve/CVE-2016-2461/
- 3: https://www.moneycontrol.com/technology/government-warns-about-multiple-security-flaws-in-android-what-users-need-to-know-article-12932684.html
- 4: https://central.sonatype.com/artifact/org.conscrypt/conscrypt-android/2.5.2
- 5: https://source.android.com/docs/core/ota/modular-system/conscrypt
- 6: https://groups.google.com/g/conscrypt/c/FgIPOsbTEl0
- 7: https://source.android.com/docs/security/bulletin/2016-03-01
- 8: https://mvnrepository.com/artifact/org.conscrypt/conscrypt-android/2.5.2
- 9: https://github.com/google/conscrypt
- 10: https://github.com/google/conscrypt/issues/649

---

Update Conscrypt Dependency Version

• The current version 2.5.2 in wallet/build.gradle has no documented active security vulnerabilities.
• The latest available version is 2.5.3, which includes updates and improvements.
• While 2.5.2 remains secure based on available information, upgrading to 2.5.3 is recommended to benefit from these enhancements and ensure the best security posture.

wallet/src/de/schildbach/wallet/WalletApplication.java (1)

342-346: LGTM! Conscrypt initialization is correctly implemented.

The implementation properly:

1. Checks for Android Q (API 29) and below
2. Inserts Conscrypt provider at the correct position (index 1)
3. Enables TLS 1.3 support for older Android versions

integrations/crowdnode/src/main/java/org/dash/wallet/integrations/crowdnode/model/CrowdNodeFeeInfo.kt (1)

48-62: LGTM! Efficient implementation of fee ladder storage.

The change to store fee ladder as a JSON string with lazy parsing is a good optimization:

1. Reduces initial memory usage
2. Improves startup time
3. Maintains compatibility with the API format

[coderabbitai]

🛠️ Refactor suggestion

Add error handling for JSON parsing.

The lazy property could throw JsonSyntaxException or JsonParseException if the rawValue string is malformed. Consider adding error handling to gracefully handle parsing failures.

 val value: List<FeeLadder> by lazy {
-    Gson().fromJson(rawValue, object : TypeToken<List<FeeLadder>>() {}.type)
+    try {
+        Gson().fromJson(rawValue, object : TypeToken<List<FeeLadder>>() {}.type)
+    } catch (e: com.google.gson.JsonSyntaxException) {
+        log.error("Failed to parse fee ladder: ${e.message}")
+        emptyList()
+    }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	val value: List<FeeLadder> by lazy {
	Gson().fromJson(rawValue, object : TypeToken<List<FeeLadder>>() {}.type)
	}
	val value: List<FeeLadder> by lazy {
	try {
	Gson().fromJson(rawValue, object : TypeToken<List<FeeLadder>>() {}.type)
	} catch (e: com.google.gson.JsonSyntaxException) {
	log.error("Failed to parse fee ladder: ${e.message}")
	emptyList()
	}
	}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

wallet/proguard.cfg (1)

227-229: Minor naming inconsistency in the comment.

It appears the comment says "Conscript" instead of "Conscrypt," which might be a simple typo. To maintain clarity and consistency, consider updating the comment to match the library’s correct spelling.

You can fix it with the following diff:

-# Conscript
+# Conscrypt

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a21a05 and d061bf6.

📒 Files selected for processing (1)

• wallet/proguard.cfg (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build

[Syn-McJ]

Looks good