0

I'm developing an Android application that communicates with my device(ARM based device with bluetooth module) via bluetooth using TLS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256). What I considered:

  1. javax.net.ssl from Android. Problem is that ephemeral(ECDHE) encryption keys are starting from API 20 but I need API 11. I didn't find a way to add suite. It seems that this library is strongly related to android version. API versions and overview
  2. Bouncycastle(spongycastle) I didn't find a way to use it without creating a socket. I need something like in/out streams so I could use it not with the network connection. Also I didn't find TLS/SSL at all.
  3. Implementing everything by myself. I could take all algorithms from selected suite and implement protocol by myself but I don't know what I don't know and I'm afraid to screw up security. I don't know if it's a good practice to do such a thing(may be it's high level enough so it's not very dangerous to implement it by myself)

My question is: which libraries could you recommend for TLS? Is it a good way to implement the protocol(not algorithms) by myself?

Community
  • 1
  • 1
dc914337
  • 415
  • 4
  • 14
  • 1
    First of all, the API 11 dates back to 2011. That means it is about 5 years out of date. In that time vulnerabilities such as a bad random number generator have been fixed. Using such an old API / runtime for security sensitive applications is a terribly bad idea. Bouncy (or Spongy) Castle should contain TLS ciphersuites. It's probably best to utilize those and rewrite them to use without sockets if that's required (in the end you just need streams, so that should not be too hard). – Maarten Bodewes Jul 17 '16 at 20:43
  • Thank you for your answer. I Looked at TlsClientProtocol and it receives streams. So it's my fault because I was sure that I saw that it worked with sockets only. Android supports needed suite from API 20. I need compatibility with old android devices. Please, can you give me a link on vulnerabilitiy that you mentioned? In which API version it was fixed? And can I just use another SecureRandom implementation to fix it? – dc914337 Jul 18 '16 at 03:48
  • 1
    Well, [this one](http://android-developers.blogspot.nl/2013/08/some-securerandom-thoughts.html) among others. Note that that makes both the OpenSSL as well as the Java Harmony based one vulnerable. You can override SecureRandom or use a SecureRandom implementation from e.g. Bouncy Castle. But basically you should keep up to date. – Maarten Bodewes Jul 18 '16 at 20:28

0 Answers0