2

I would like to encrypt and decrypt data using public/private key pairs in a native Java app for Android. I am having trouble wading through old posts / documentation.

From my understanding:

  • Early versions of Android used a crippled version of the bouncy castle encryption libraries. In particular it did not include the elliptic curve methods.

  • Elliptic curve cryptography is the way to go on mobile devices because smaller key size means less computation and/or more secure.

  • People suggested including your own copy of the bouncy castle libraries to get full functionality except rename the packages (or use spongy castle which is bouncy castle with renamed packages)

  • Later versions of Android changed in a way that allow one to use bouncy castle without renaming packages

  • Even later versions of Android began including bouncy castle with full functionality.

So the question is- as of June 2014 how should one encrypt data on Android?

Are there any simple projects on github doing things the "right way"?

latj
  • 616
  • 1
  • 6
  • 23
  • 3
    I have voted to close this question for a few reasons. First, it is too broad; cryptography and its uses are extremely varied, even if you narrow it down to how do you encrypt "data" on a mobile device. Persistent data and transmission data, regulated data, etc all have different techniques and practices and recommendations. Further, your question is a "proper way" question, which means it is subjective and is requesting an opinion rather than clear facts. Finally, you are asking for samples from the Internet or a favorite off-site resource, which has been deemed off-topic on StackOverflow. – Michael J. Gray Jun 02 '14 at 22:23
  • 1
    "Later versions of Android changed in a way that allow one to use bouncy castle without renaming packages" -- I am not aware that this is the case. "Even later versions of Android began including bouncy castle with full functionality" -- Bouncy Castle is still not part of the Android SDK and therefore developers should be making **no** assumptions about it. And, beyond all the problems Mr. Gray cited, you have not stated who you are defending against, who all the parties are that are involved in the public/private key exchange, etc. – CommonsWare Jun 02 '14 at 22:34
  • This is too broad, but for asymmetric encryption, using RSA 4096 with OAEP padding or 256 bit ECIES should protect you for a while. Note that I have come to understand that EC computation in Bouncy is *currently* sub-optimal. – Maarten Bodewes Jun 02 '14 at 23:40

1 Answers1

1

I've recently researched on the encryption subject and came upon three methods:

1) Use the default Java / Android implementation (I supposed the one you mentioned), Java Crypto API: http://docs.oracle.com/javase/7/docs/api/javax/crypto/package-summary.html + http://developer.android.com/reference/javax/crypto/package-summary.html

2) Use the recently made available Facebook library Conceal: http://facebook.github.io/conceal/

3) Use the OpenSSL API (using the NDK): http://wiki.openssl.org/index.php/Android

Finding the best will be a hard / subjective answer.

greven
  • 633
  • 7
  • 18
  • Thanks greven! I'll look at those options. I guess we're not allowed to talk about this on Stack Overflow so I will look for another forum to discuss it. – latj Jun 02 '14 at 23:41
  • "Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question or leave a comment." They want you to be more specific about the purpose of your encryption, what specific problem you are trying to solve. Just asking whats the best way to encrypt data is like asking what's the best smartphone, or what's the best car. Gets nowhere. – Dave S Jun 03 '14 at 18:20
  • Your analogies are weak but lets take the smartphone example. Imagine someone has been in prison for the last 20 years and when they got out they ask you, "What's the best smartphone?" You could respond by saying "At this point most people clump up into two groups based on the phones OS- IOS or Android. Android is superior because a b and c. Although IOS people argue d e and f. Specifically, Nexus 5 is currently the best phone for me because x, y, and z" Or you could look them dead in the eyes and say "CANNOT ANSWER QUESTION. NOT. ENOUGH. INFORMATION." Which is more useful? – latj Jul 12 '14 at 01:34