diff --git a/.env.template b/.env.template
index dfaf83a2..9e030710 100644
--- a/.env.template
+++ b/.env.template
@@ -355,6 +355,7 @@
 ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
 ## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.2.0)
 ## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.2.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 
 ## Require new device emails. When a user logs in an email is required to be sent.
diff --git a/Cargo.lock b/Cargo.lock
index 9db5a23c..72728273 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2972,9 +2972,9 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.17.11"
+version = "0.17.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da5349ae27d3887ca812fb375b45a4fbb36d8d12d2df394968cd86e35683fe73"
+checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee"
 dependencies = [
  "cc",
  "cfg-if",
@@ -4142,6 +4142,7 @@ dependencies = [
  "semver",
  "serde",
  "serde_json",
+ "subtle",
  "syslog",
  "time",
  "tokio",
diff --git a/Cargo.toml b/Cargo.toml
index 68ef1866..8fdd6866 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -90,7 +90,8 @@ libsqlite3-sys = { version = "0.31.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
 rand = "0.9.0"
-ring = "0.17.11"
+ring = "0.17.13"
+subtle = "2.6.1"
 
 # UUID generation
 uuid = { version = "1.14.0", features = ["v4"] }
diff --git a/src/config.rs b/src/config.rs
index e1186ec0..ae6a0a7e 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -839,11 +839,12 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         "browser-fileless-import",
         "extension-refresh",
         "fido2-vault-credentials",
-        "inline-menu-positioning-improvements", 
+        "inline-menu-positioning-improvements",
         "ssh-key-vault-item",
         "ssh-agent",
         "anon-addy-self-host-alias",
         "simple-login-self-host-alias",
+        "mutual-tls",
     ];
     let configured_flags = parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags);
     let invalid_flags: Vec<_> = configured_flags.keys().filter(|flag| !KNOWN_FLAGS.contains(&flag.as_str())).collect();
diff --git a/src/crypto.rs b/src/crypto.rs
index 5ab8f1fb..ada0a26a 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -110,7 +110,6 @@ pub fn generate_api_key() -> String {
 // Constant time compare
 //
 pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {
-    use ring::constant_time::verify_slices_are_equal;
-
-    verify_slices_are_equal(a.as_ref(), b.as_ref()).is_ok()
+    use subtle::ConstantTimeEq;
+    a.as_ref().ct_eq(b.as_ref()).into()
 }