← Knowledge base

Android

Is PQC enabled? — quick check

adb shell or Termux

getprop ro.build.version.release
getprop ro.build.version.sdk
pm list packages -f | grep -i conscrypt
# Then open https://checkpqc.app/ in Chrome on the device.

Expected when PQC is ON

15
35
package:/apex/com.google.android.conscrypt/javalib/conscrypt.jar=com.google.android.conscrypt
checkpqc.app verdict: HYBRID_ENABLED

What you'll see when PQC is OFF

13
33
package:/system/.../conscrypt.jar=com.android.conscrypt   (NOT mainline)
checkpqc.app verdict: CLASSICAL_ONLY

Mainline Conscrypt (com.google.android.conscrypt) ships PQ via Play Services updates. The unbranded com.android.conscrypt is the frozen platform copy.

Android's default TLS provider is Conscrypt — a JNI wrapper around BoringSSL. On Google-Play-equipped devices Conscrypt is delivered as a Mainline module (com.google.android.conscrypt.apex) and updates independently of OS releases. Hybrid X25519MLKEM768 ships once Google promotes it to the stable Conscrypt module.

What's PQ-ready on Android today

What's not yet

Verify a server from a phone

Start with the no-download browser check: open the target site in Chrome, Edge, Brave, or Firefox and use the browser verdict. If you need a local Termux proof, run:

if ! command -v openssl >/dev/null 2>&1; then
  echo 'Termux openssl-tool was not found.'
  printf 'Install openssl-tool and curl now? [y/N] '; read answer
  case "$answer" in [Yy]*) pkg update && pkg install openssl-tool curl ;; *) exit 1 ;; esac
fi
openssl version
openssl s_client -connect checkpqc.app:443 -tls1_3 \
  -groups X25519MLKEM768 </dev/null 2>&1 | grep "Cipher is\|alert"

Enterprise / MDM

Knox / Android Enterprise managed configurations can pin minimum Conscrypt versions. For BYOD, the simplest assurance is: confirm Play Services + Mainline updates are not paused.

Run the check on services your Android phone uses →