Android encryption tools for beginners

More and more hackers are targeting mobile applications, and the number is increasing every day, because mobile applications contain things that hackers are interested in, such as user data. Hard-coded (note, hard-coded, cannot be modified) security keys, personal information stored in plain text on the SD card, usernames and passwords stored unencrypted in the database, collected analytics (analytics) and stored in plain text method is sent to the remote server, these conditions make the attack easier (successful).

Proper use of Cryptography tools can protect our sensitive data and ensure privacy and data integrity. On the other hand, cryptography is hard to use and easy to misuse. Be aware of broken cryptography (e.g., using insecure algorithms, or hard-coding keys into binary packages), see the list of the top 10 risks in mobile in 2014. So, what are the lessons from this? It is not advisable not to use encryption, but it is also not advisable not to encrypt correctly (not to mention the time consumed).

　In order to develop secure applications on the Android platform, next we will introduce how to perform encryption easily and securely.

　First, let’s briefly introduce some common encryption libraries that can be integrated into Android applications. A cryptographic library is a collection of cryptographic tools that includes tools such as encryption algorithms, padding methods, and hash functions.

　Bouncy Castle

　Legion of the Bouncy Castle is a public welfare group from Australia. They wrote Bouncy Castle, a widely used class library. This library provides both a lightweight cryptography API and a provider of Java Cryptozoology Extensions (JCE). The Android platform already has a streamlined old version of Bouncy Castle built in (some minor changes have also been made to adapt to the Android platform). The result is that any attempt to build and use the latest version of the BouncyCastle class library in an application will cause a class loading conflict.

　　Spongy Castle

　　The motivation behind Spongy Castle is to allow Android developers to use any version of the BouncyCastle library in their applications. SpongyCastle is a simple repackage of the latest version of BouncyCastle; all org.bouncycastle.* packages are renamed to org.spongycastle.*, and the names of all Java security API providers are changed from BC to SC.

　OpenSSL

　OpenSSL is an open source toolkit that implements SSL and TLS protocols and a common cryptographic library. OpenSSL has been ported to many platforms, including Android. As an alternative, you can build from source (using the Android NDK) and then bundle it into your application.

Now let’s assume that for application purposes, you want to encrypt some data. Which encryption algorithm will you use, AES or DES? How long is your secret key, 128 or 256 bits? Which encryption mode will you use, ECB or CBC? If you don’t have answers to any of these questions, and no good reasons, then you may find that you’re in that delicate position where, although you have all the tools you want, you’re not at all sure which one to use and how. use.

This is where the Cryptozoology Toolkit for Dummies comes into play. These toolkits do not implement any fancy cryptographic functionality, nor do they attempt to replace any of the cryptography libraries mentioned above; instead, they are built on top of these libraries with the sole purpose of making using cryptographic functionality easier and more secure.

　Contrary to general cryptography libraries, these toolkits usually only support a subset of algorithms, modes, structures, and parameters. These toolkits give you reasonable defaults for setting up common encryption tools, in case you know what you want, but don't know how to use it, or just care about having a secure solution in the end. Let's examine a few of these toolkits to better understand how they work.

　Keyczar

　Keyczar is a set of open source toolkits originally developed by two members of the Google Security Team. It is implemented in Java, Python and C++ languages. It supports two authentication methods: symmetric encryption and fee-based encryption. Keyczar provides secure default settings, including algorithms, key length and mode, key rotation and versioning, automatic generation of initialization vectors and authorization codes, and supports internationalization. The toolkit is built on JCE, (here) and uses Spongy Castle's security provider.

　AeroGear Crypto

　AeroGear Crypto is a small Java library provided by AeroGear. It supports certifiable symmetric encryption, elliptic curve encryption, and password-based key derivation. It also provides explicit specification of the algorithm. AeroGear Crypto depends on Spongy Castle on the android platform and Bouncy Castle on other platforms. The library is also available on iOS, Windows Phone and Cordova.

　Conceal

　To enable encryption and authentication of large files on SD cards quickly and using very little memory, Facebook developed Conceal. Conceal can perform both authentication and encryption, and also provides key management functions by default. It uses OpenSSL, but only includes the parts it needs, so its size is only 85KB. Results published on the Conceal site show it to be better than Bouncy Castle.

　The following table summarizes the encryption libraries introduced above. Please note: all of the libraries described above allow cryptography novices to encrypt securely, but advanced developers are free to override these defaults and specify all the encryption details as they wish (just as they would with other cryptographic libraries). That way).

AeroGear Crypto AeroGear Apache 2.0

Conceal Facebook BSD

Keyczar – Apache 2.0

Crypto Library Development Company License

Summary (To sum up)

　If you are a mobile application Developers, you have to spend time (effort) to make your application user-friendly, feature-rich, and eye-catching, but don’t forget to improve the security of your application. If you don’t know how to get started, or are worried about not getting it right, then choose one of the toolkits mentioned in the article to get started. No matter which encryption tool you decide to use, you should avoid implementing encryption algorithms and encryption protocols yourself; you should only use those algorithms and protocols that are widely used, generally recognized, and tested.