Shipping a secure Android app with Delphi or C++Builder has always meant one extra chore: bundle libssl.so and libcrypto.so in the APK so OpenSSL is there at runtime. sgcWebSockets removes that chore. A new native TLS backend, iohAndroidTLS, hands the encryption to Android itself, so your app connects over TLS with no OpenSSL libraries to deploy. It is available in the Enterprise edition.
Under the hood the backend drives the platform's own javax.net.ssl.SSLEngine through JNI. The operating system performs the handshake, the record encryption and the certificate validation. sgcWebSockets just feeds plaintext in and gets ciphertext out, which means the whole TLS stack is the one Google ships and patches with the OS.
One line to switch
The TLS backend is selected through TLSOptions.IOHandler. To use Android's native TLS, set it to iohAndroidTLS. Everything else in your networking code stays the same.
uses
sgcWebSocket, sgcWebSocket_Types;
WSClient.TLS := True;
WSClient.TLSOptions.IOHandler := iohAndroidTLS;
WSClient.URL := 'wss://www.esegece.com:2053';
WSClient.Active := True;On other platforms you keep the backend that fits: iohOpenSSL works everywhere, and iohSChannel is the native, deploy-nothing option on Windows. A small conditional keeps a single client component correct on every target.
WSClient.TLS := True;
{$IFDEF ANDROID}
WSClient.TLSOptions.IOHandler := iohAndroidTLS; // native, no OpenSSL .so
{$ELSE}
{$IFDEF MSWINDOWS}
WSClient.TLSOptions.IOHandler := iohSChannel; // native on Windows
{$ELSE}
WSClient.TLSOptions.IOHandler := iohOpenSSL; // OpenSSL elsewhere
{$ENDIF}
{$ENDIF}
WSClient.URL := 'wss://www.esegece.com:2053';
WSClient.Active := True;No OpenSSL in the APK
This is the headline benefit. With the native backend the APK carries no libssl.so and no libcrypto.so. The package is smaller, and you never again chase an OpenSSL version, rebuild against a security advisory, or match a library build to a device. The TLS implementation lives on the device and is maintained by Android, so security fixes arrive through system updates rather than through your release cycle.
It also removes a class of deployment problems. There is no "library not found", no architecture mismatch between the bundled .so and the device, and no second copy of crypto to audit. You set one property and ship.
A full TLS client, not a cut-down one
The native backend is a complete client. It validates the server against the Android system trust store and performs hostname verification, so connections to public certificate authorities work with no extra configuration. It negotiates TLS 1.3, and it supports ALPN on Android 10 (API 29) and later, which lets you advertise application protocols such as http/1.1 during the handshake.
Because it sits behind the same TLSOptions API as every other backend, the familiar properties keep working. VerifyCertificate turns peer validation on or off, RootCertFile trusts a private authority, CertFile and Password present a client certificate, and ALPNProtocols lists the protocols to negotiate.
WSClient.TLS := True;
WSClient.TLSOptions.IOHandler := iohAndroidTLS;
WSClient.TLSOptions.VerifyCertificate := True;
WSClient.TLSOptions.ALPNProtocols.Add('http/1.1'); // Android 10 (API 29)+
WSClient.Host := 'your.server.com';
WSClient.Port := 443;
WSClient.Active := True;Works with the components you already use
The backend is wired into the shared TLSOptions, so it is not limited to the WebSocket client. The TCP and HTTP/2 clients and the other components that expose TLSOptions select it the same way. If your code already sets TLSOptions, adding native Android TLS is a single assignment, with no change to how you open the connection, send or receive.
The same idea on Apple
If you target iOS or macOS as well, the companion iohAppleTLS backend does the same job there: it uses Apple's own TLS, with no OpenSSL .dylib to deploy, and it reaches TLS 1.3 through Network.framework. The pattern is identical, you just pick the native handler per platform. You can read the details on the Native Apple TLS page.
Availability
Native Android TLS (iohAndroidTLS) ships in the Enterprise edition of sgcWebSockets. For the full breakdown of the four TLS backends, OpenSSL on every platform, SChannel on Windows, and the native Android and Apple handlers, see the SSL / TLS section and the Native Android TLS page.
Download from the sgcWebSockets download page, or grab it through GetIt or your registered account.
Questions, feedback or help moving an Android app off OpenSSL? Get in touch, you will get a reply from the people who wrote the code.